Alex Ruben
How to Remove Domain Users from Remote Desktop Groups Using Group Policy in Windows Server 2019 / 2022
Managing remote desktop access is crucial for maintaining a secure network environment. This tutorial provides a comprehensive step-by-step guide on how to remove domain users from all remote desktop groups using Group Policy in Windows Server 2019 or Windows Server 2022. By following these instructions, you’ll ensure strict access control, minimize security risks, and enforce compliance with organizational policies.
Before starting, ensure you have administrative privileges on the domain controller and access to the Group Policy Management Console. The guide assumes familiarity with Windows Server environments and Group Policy management.
Step 1: Verify Current Remote Desktop Group Membership
Begin by checking which domain users are currently members of the Remote Desktop Users group. To do this:
- Open the Computer Management console on a client machine.
- Navigate to Local Users and Groups under System Tools.
- Click on Groups, and then double-click Remote Desktop Users.
- Review the list of users; make note of any domain users you wish to remove, such as
test1.
Step 2: Open Group Policy Management Console
Next, you will create a new Group Policy Object (GPO) to automate the removal of domain users from the Remote Desktop Users group:
- Log in to your domain controller.
- Open the Server Manager.
- From the Tools menu, select Group Policy Management.
Step 3: Create a New GPO
In the Group Policy Management Console, perform the following to create a new GPO:
- Right-click on the organizational unit (OU) where you want to apply the policy.
- Select Create a GPO in this domain, and Link it here.
- Enter a descriptive name for the GPO, such as “Remove Domain Users from RDP”, and click OK.
Step 4: Edit the GPO to Configure Local Users and Groups
Now, you will configure the GPO to remove specified users from the Remote Desktop Users group:
- Right-click the newly created GPO and select Edit.
- In the Group Policy Management Editor, navigate to:
- Right-click on Local Users and Groups, select New, then choose Local Group.
Computer Configuration → Preferences → Control Panel Settings → Local Users and Groups
Step 5: Configure the Local Group Properties
In the Local Group Properties window, set up the removal action:
- Select the Update option for the Action.
- In the Group Name dropdown, select Remote Desktop Users.
- In the Members section, click the Add button.
- Browse for the user you want to remove (e.g.,
test1), select them, and then choose the Remove from this group action. - Click OK, then Apply to save your changes.
Step 6: Update the Group Policy on Client Machines
To enforce the new policy, you need to update the Group Policy settings on the client machine:
- Open a command prompt on the client machine.
- Run the command:
gpupdate /forceand wait for the update to complete.
Step 7: Verify Changes
Finally, verify that the user has been successfully removed from the Remote Desktop Users group:
- Open the Computer Management console again.
- Navigate to Local Users and Groups > Groups > Remote Desktop Users.
- Check to ensure that the user
test1is no longer listed.
Extra Tips & Common Issues
When managing Group Policies, ensure that:
- You have the necessary permissions to make changes.
- Check that the GPO is linked to the correct OU.
- Consider testing the GPO on a small group before applying it to the entire domain.
Conclusion
By following these steps, you have successfully created a Group Policy Object that removes specified domain users from all Remote Desktop groups. This practice enhances your network security by preventing unauthorized remote access. For further guidance, consider exploring additional Group Policy management tutorials.
Frequently Asked Questions
What should I do if the policy doesn’t apply?
Ensure that the GPO is linked to the correct OU and that the client machine is receiving updates. You may need to restart the client machine or force a policy update.
Can I add users back easily after removal?
Yes, you can create a similar GPO to add users back or manually add them to the Remote Desktop Users group through the Computer Management console.
Is this method effective for large organizations?
Absolutely! Using Group Policy for managing user access is scalable and simplifies administration for large organizations.