GPO Remote Desktop - SomethingGeneric/sparkle.local GitHub Wiki

Configuring the Remote Desktop GPO for W01 and W02

Prerequisite: Make sure that you configured the necessary OUs in ADUC so that we can apply our GPO settings to the following systems (**place all computers into the OU we want to manage, ex. W1 + W2 is placed in an OU named "Computers")

  • In order to configure Remote Desktop on W01 and W02, we will first have to go to Server Manager > Tools > and select Group Policy Management.
  • In Group Policy Management, I then created a new GPO called "WKS Remote Desktop" under the "Computers GPO", which contained the Workstation Computers I wanted the GPO to apply.
  • From here, I configured the security filtering to apply to the necessary groups, users, and computers.

image

^^ Screenshot of Group Policy Management being used to show the new Remote Desktop GPO created under the Computer OU

Enabling Users to Connect Remotely Using RDP

One GPO setting that I configured in order to get RDP to work between W01 and W02 was to Enable the setting Allow users to connect remotely by using Remote Desktop Services. This enables users to remotely connect to workstations that are defined in the GPO. When editing the GPO, this setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.

image
image

^^ Screenshots of me enabling "Allow users to connect remotely using Remote Desktop Services".

Configuring Groups that can Login using RDP

Here I configured the AD groups that are allowed to login using RDP. To do this, I Enable the setting Allow log on through Remote Desktop Services and specified the sparkle.local Domain Users group to use RDP to log into W01 and W02. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

image
image

^^ Screenshots of me enabling the setting "Allow log on through Remote Desktop Services" for the Sparkle.local "Domain Users" group.

Configuring GPO Firewall Rules to allow RDP on WKS Systems

Next, I configured and added three new inbound firewall rules for W01 and W02 via the GPO settings to allow Ping (ICMPv4) and both TCP/UDP ports 3389. Opening TCP/UDP Ports 3389 is necessary as this is the port that RDP uses to connect to each system. This setting can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules.

image

^^ Screenshots of me using the GPO settings to add three new firewall rules for W01 and W02 to allow RDP connections on each system.

Additionally, I modified the properties for both the RDP (TCP + UDP) rules to Allow the connection if it is secure, Only allow connections only from the W01 and W02 computers, and lastly Only allow connections from users in the AD Domain Users group.

image
image
image

^^ Screenshots me configuring additional settings for each RDP firewall rules to restrict user and computer access to RDP.

Adding Domain Users to Local WKS Remote Desktop Users Group

Lastly, I configured the Restricted Groups GPO settings to add the Sparkle.local Domain Users Group to the local Remote Desktop Users Group on W01 and W02. This is especially important as this essentially configures who is allowed to RDP into each workstation system (in this case, were allowing Domain Users to use RDP to login between W01 and W02). Additionally, this settings can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.

image
image

^^ Screenshots of me using the Group Policy Management Editor on Mgmt01 to add the "Domain Users Group" to the local "Remote Desktop Users" group on W01 and W02 via GPO.

Testing/Verifying RDP Connection Between W01 + W02

In order to test RDP between W01 and W02, I logged into W01 as the sparkle-adm user who is a member of the Domain Users group. From here, I opened Remote Desktop Connection and entered the information to connect to W02.

image

^^ Screenshot of me using Remote Desktop Connection to connect to W02 via RDP

After clicking on Connect, I was then able to successfully connect to W02 using RDP.

image

^^ Screenshots of me successfully Remoting into W02 from W01 using RDP)