Key Points
- Windows GUI: Open compmgmt.msc → Local Users and Groups → Groups → Remote Desktop Users to add or remove users via the GUI.
- PowerShell
- Add: Add-LocalGroupMember -Group “Remote Desktop Users” -Member <User>
- Remove: Remove-LocalGroupMember -Group “Remote Desktop Users” -Member <User>
- Command Prompt
- Add: net localgroup “Remote Desktop Users” <User> /add
- Remove: net localgroup “Remote Desktop Users” <User> /delete
Adding or removing remote desktop users allows IT teams to control who can access systems remotely. However, Remote Desktop can pose security concerns due to security vulnerabilities, so properly managing Remote Desktop Users in Windows effectively allows technicians to provide more secure remote support.
This blog will guide you through the essentials of enabling Remote Desktop Users on Windows and go in-depth on adding or removing users in this group. You can also watch the video “How to Configure Remote Desktop Users in Windows” for a visual walkthrough.
Prerequisite to manage Remote Desktop Users in Windows
Before you can edit user groups, you will need the following:
- You must have administrative permissions.
- Remote Desktop also needs to be enabled on the devices to allow remote desktop connections.
- Lastly, make sure that the version of Windows you’re working with is compatible with Remote Desktop Users Groups.
- Note that while Windows 7/8/10/11 Home editions don’t support incoming Remote Desktop connections (RDP host functionality), they can initiate outgoing RDP sessions.
Seamlessly manage user access and remotely control devices from the same dashboard with NinjaOne.
How to add or remove a user in the Remote Desktop Users Group
Method 1: Windows GUI
1. Press Win + R and enter “compmgmt.msc” to open Computer Management.
2. Expand Local Users and Groups and then click Groups.
3. Double-click the Remote Desktop Users group in the right panel.
4. Configure user/s in the Remote Desktop Users group:
- To add: Select “Add…” and then type in the usernames you want to add. Alternatively, you can go to Advanced > Find Now to browse available accounts.
- To remove: Highlight user/s and click Remove.
5. Click OK to apply changes.
Method 2: PowerShell
- Open PowerShell with administrator privileges.
- Enter one of the following scripts and replace “User” with the username you want to add or remove:
- To add user: Add-LocalGroupMember -Group “Remote Desktop Users” -Member <User>
- To remove user: Remove-LocalGroupMember -Group “Remote Desktop Users” -Member <User>
- Verify if the user has been added or deleted by inputting this into PowerShell:
Get-LocalGroupMember -Group “Remote Desktop Users”
Method 3: Command Prompt
- Open Command Prompt with administrative privileges.
- Enter one of these codes to add or remove a user to the Remote Desktop Users group. Make sure to replace <User> with the username you wish to add or remove:
- To add: net localgroup “Remote Desktop Users” <User> /add
- To remove: net localgroup “Remote Desktop Users” <User> /delete
- Press Enter.
What is the Remote Desktop Users group?
The Remote Desktop Users group is a user group for Windows devices. It is designed to control who can remotely access endpoint devices via Remote Desktop Protocol (RDP). Members of this group are given specific permissions to establish remote sessions with a device while still restricting access to core system functions.
Permissions granted to Remote Desktop Users group members
Being part of a Remote Desktop Users group grants the members certain permissions, which include the following by default:
- the ability to log in to the system remotely,
- access to user profiles and home directories, and
- clearance to run applications on the system.
Additionally, it’s important to note that while uUsers can log in to remote systems without full administrative privileges, the group does n’ot allow them to modify critical system configurations unless their individual accounts have administrator-level privileges.
Security issues caused by improper Remote Desktop User group management
Unsecure or weak credentials
RDP remote logins require passwords set by the end-user, which unfortunately may be lacking in terms of password strength. In this case, weak login credentials make devices more susceptible to brute force attacks.
Data breaches
Hackers can exploit compromised or poorly managed Remote Desktop connections to gain unauthorized access to devices. This often leads to a data breach, which can compromise, delete, or expose sensitive files.
Unrestricted port access
RDP connections typically occur at the host device’s TCP port 3389; hackers often target this port and gain unauthorized access through it.
Troubleshooting Windows Remote Desktop Users group errors
“User Still Unable to Connect” message
Make sure that Remote Desktop is enabled on the host machine. You can do this by navigating to Settings > Remote Desktop. Accounts could also lack the required permissions due to local security policies.
Firewall blocking RDP
Ensure that firewalls on the host or network allow inbound traffic on TCP port 3389.
Errors caused by Group Policy conflicts
Generate a policy report to check if any domain or local group policies conflict with your RDP access settings. Click Win + R and then run the command “gpresult /h report.html” to get a report of all your policies.
IP address problems
Check if the remote machine has a static or dynamic IP. You can use “ipconfig /all” via Windows Command Prompt.
Best practices for Remote Desktop access management
Limit RDP access
Follow the principle of least privilege (PoLP) to prevent any unauthorized RDP access. The fewer the users with RDP access, the smaller the attack surface.
Implement 2FA for security
Two-factor authentication (2FA) strengthens remote access security by adding an extra layer of protection.
Consistently update user access permissions
Regularly audit the Remote Desktop Users group so that you can remove accounts that no longer require access.
Not sure what IPConfig is? We’ve got you — hit Play!
Minimize RDP’s risks and potential attack vectors with NinjaOne Remote.
Easily and quickly manage Remote Desktop Users on Windows
Proactively configuring Remote Desktop Users minimizes the chance of a cyberattack, while also providing technicians with a simpler remote access user experience. Regularly check your Remote Desktop Users group membership to confirm that no unauthorized users have been added.
NinjaOne consolidates Windows endpoint management with remote access software into a single pane of glass, making it more efficient for IT teams and managed service providers (MSPs) to manage at scale. To give IT teams more flexibility, NinjaOne also offers seamless integration with industry-leading remote control tools.
Reduce your tech stack while increasing the visibility and control of your devices with NinjaOne. Get started with a free trial today.
Quick-Start Guide
NinjaOne provides several ways to manage Remote Desktop Users in Windows:
1. Scripted Management:
– There’s a script called “Modify Users Group Membership” that allows you to add or remove a user to a group in Active Directory or the local computer.
– Another script called “Create New Local User” can create a local user account and add it to the local admin group.
2. Remote Tools:
– NinjaOne offers Remote Tools that allow you to manage users and access devices without direct physical access.
– The Remote Registry tool can be used to modify user settings, though it has some limitations when running as a system-level account.
3. Active Directory Management:
– For domain-joined computers, NinjaOne supports Active Directory user management directly within the app.
– You can manage users, add/remove users from groups, and modify user permissions.
While these tools provide flexibility, the exact method for adding or removing Remote Desktop users might require a specific script or manual configuration. I recommend consulting with your NinjaOne administrator or support team for the most precise method tailored to your specific environment.
