Tuesday 12 November 2013

Enable Remote Desktop remotely via Group Policy


Enable remote management capabilities on Windows  clients within an Active Directory domain environment using Group Policy.
Which capabilities?
  1. Be able to PING clients
  2. Be able to connect to clients via Remote Desktop
  3. Be able to connect to clients via Computer Management
  4. Be able to connect to clients through Event Viewer, RegEdit, etc.
 If you need increased security, you can configure additional options via Group Policy settings to suit your needs.

Computer Configuration \ Policies \ Administrative Templates
Network \ Network Connections \ Windows Firewall \ Domain Profile
  • Allow ICMP Exceptions:
    • ENABLED - Allow inbound echo request
  • Allow Inbound remote administration:
    • ENABLED: Enter asterisk (*) in IPv4 address box
  • Allow inbound Remote Desktop:
    • ENABLED: Enter asterisk (*) in IPv4 address box
Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Connections:
  • Allow users to connect remotely using Remote Desktop services
    • ENABLED
Windows Components \ Windows Remote Management (WinRM) \ WinRM Service:
  • Allow automatic configuration of listeners
    • ENABLED: Enter asterisk (*) in IPv4 address box
If you need a nudge in the right direction for how to add these settings:
  1. Open Group Policy Management (aka “GPMC”)
  2. Expand Forest: <name> / Domains / <your-domain> / Group Policy Objects
  3. Right-click and select “New”
  4. Enter a name for the GPO (e.g. “Remote Management”) and click OK
  5. Right-click on the new GPO and select “Edit”
  6. Follow the guideline above to locate and enable the settings
  7. Right-click on the very top of the tree-view panel on the name of the GPO and select “Properties”
  8. Check the box “Disable User Configuration settings”
  9. Click “Yes” to accept the warning.
  10. Close the Group Policy Management Editor
  11. Right-click on the desired computer OU in the GPMC and select “Link an existing GPO” and select your new GPO.
  12. That’s it.
You can then either wait for the regular GPO refresh cycle to run (about 90 minutes on average, sometimes less) or go to a client and open a CMD console (remember to right-click and choose “Run as Administrator”) and at the command prompt, enter “GPUPDATE /FORCE” and press Enter.  You should be able to connect to that client from another client on your domain immediately after that.  If you still cannot, double-check your GPO settings and double-check where you linked the GPO (which OU) related to the computer account within AD.  You can (and should) use GPRESULT on the remote client to diagnose GPO issues.

Ref1
Ref2
Posted by at No comments:
Subscribe to: Posts (Atom)