Key Points
- Remote Desktop User Group Explained: The Remote Desktop Users group in Windows controls which users can connect via Remote Desktop Protocol (RDP), enabling remote access without full administrative privileges.
- RDP Requires Admin Setup: To add or remove users from the Remote Desktop Users group, you must have administrative access, and Remote Desktop must be enabled on the target machine.
- Windows Version Compatibility: Windows Home editions (7/8/10/11) can’t accept incoming RDP connections, though they can initiate them. Use Professional or Enterprise editions to host RDP sessions.
- Add RDP Users:
- Via GUI: Use compmgmt.msc > Local Users and Groups > Groups > Remote Desktop Users > Add to manually add users through the Windows interface.
- Via PowerShell: Run the command Add-LocalGroupMember -Group “Remote Desktop Users” -Member <User> in an elevated PowerShell to grant RDP permissions.
- Via Command Prompt: Use net localgroup “Remote Desktop Users” <User> /add to add users using CLI, streamlining remote access provisioning.
- Remove RDP Users:
- Via GUI: Navigate to the same Remote Desktop Users group in compmgmt.msc and click Remove on selected users to revoke access.
- Via PowerShell or CMD: Use Remove-LocalGroupMember in PowerShell or net localgroup “Remote Desktop Users” <User> /delete in Command Prompt to efficiently manage access.
- Troubleshooting Common RDP Errors: Check that RDP is enabled under Settings > Remote Desktop, ensure Windows Firewall allows inbound traffic on TCP port 3389, use gpresult /h report.html to diagnose Group Policy conflicts, and verify the correct IP configuration using ipconfig /all.
Configuring Remote Desktop Users allows IT teams to control who can access systems remotely. However, Remote Desktop can pose security concerns due to security vulnerabilities, so properly managing Remote Desktop Users in Windows effectively allows technicians to provide more secure remote support.
This blog will guide you through the essentials of enabling Remote Desktop Users on Windows and go in-depth on adding or removing users in this group. You can also watch the video “How to Configure Remote Desktop Users in Windows” for a visual walkthrough.
The best way to manage Remote Desktop Users in Windows
Before you can edit user groups, you must have administrative permissions. Remote Desktop also needs to be enabled on the devices to allow remote desktop connections. Also consider the version of Windows you are working with. Lastly, make sure that the version of Windows you’re working with compatible with Remote Desktop Users Groups. Note that while Windows 7/8/10/11 Home editions don’t support incoming Remote Desktop connections (RDP host functionality), they can initiate outgoing RDP sessions.
Seamlessly manage user access and remotely control devices from the same dashboard with NinjaOne.
How to add a user to the Remote Desktop Users Group
Using Windows GUI
- Press Win + R and enter “compmgmt.msc” to open Computer Management.
- Expand Local Users and Groups and then click Groups.
- Double-click the Remote Desktop Users group in the right panel.
- Select “Add…” and then type in the usernames you want to add. Alternatively, you can go to Advanced > Find Now to browse available accounts.
- When you’re done selecting all the users, click OK to confirm the change.
Using PowerShell
- If you have Administrator privileges, open an elevated Powershell.
- Enter this script below and replace “User” with the username you want to add:
Add-LocalGroupMember -Group “Remote Desktop Users” -Member <User> - You can verify if the user was added by inputting this into PowerShell:
Get-LocalGroupMember -Group “Remote Desktop Users”
Using Command Prompt
- If you have Administrator privileges, open an elevated Command Prompt.
- Enter this code to add a user to the Remote Desktop Users group. Make sure to replace <User> with the username you wish to add:
net localgroup “Remote Desktop Users” <User> /add - Press Enter.
How to remove a user from the Remote Desktop Users group
Using Windows GUI
- Press Win + R and enter “compmgmt.msc” to open Computer Management.
- Expand Local Users and Groups and then click Groups.
- Double-click the Remote Desktop Users group.
- Highlight all the users to remove and then click Remove.
- Apply these changes by clicking “OK”.
Using PowerShell
- Open PowerShell as an administrator.
- Enter this script below and replace “User” with the username you want to add:
Remove-LocalGroupMember -Group “Remote Desktop Users” -Member <User> - To check if the user was successfully deleted, by enter this into PowerShell:
Get-LocalGroupMember -Group “Remote Desktop Users”
Using Command Prompt
- As an administrator, open an elevated Command Prompt.
- Enter this, but replace <User> with the username you want to add:
net localgroup “Remote Desktop Users” <User> /delete - Press Enter to confirm the user’s removal.
What is the Remote Desktop Users group?
The Remote Desktop Users group is a user group for Windows devices. It is designed to control who can remotely access endpoint devices via Remote Desktop Protocol (RDP). Members of this group are given specific permissions to establish remote sessions with a device while still restricting access to core system functions.
Permissions granted to Remote Desktop Users group members
Being part of thea Remote Desktop Users group grants the members certain permissions, which including the following by default:
- the ability to log in to the system remotely,
- access to user profiles and home directories, and
- clearance to run applications on the system.
Additionally, it’s important to note that while uUsers can log in to remote systems without full administrative privileges, the group does n’ot allow them to modify critical system configurations unless their individual accounts have administrator-level privileges.
Security issues caused by improper Remote Desktop User group management
Unsecure or weak credentials
RDP remote logins require passwords set by the end-user, which unfortunately may be lacking in terms of password strength. In this case, weak login credentials make devices more susceptible to brute force attacks.
Data breaches
Hackers can exploit compromised or poorly managed Remote Desktop connections to gain unauthorized access to devices. This often leads to a data breach, which can compromise, delete, or expose sensitive files.
Unrestricted port access
RDP connections typically occur at the host device’s TCP port 3389; hackers often target this port and gain unauthorized access through it.
Troubleshooting Windows Remote Desktop Users group errors
“User Still Unable to Connect” message
Make sure that Remote Desktop is enabled on the host machine. You can do this by navigating to Settings > Remote Desktop. Accounts could also lack the required permissions due to local security policies.
Firewall blocking RDP
Ensure that firewalls on the host or network allow inbound traffic on TCP port 3389.
Errors caused by Group Policy conflicts
Generate a policy report to check if any domain or local group policies conflict with your RDP access settings. Click Win + R and then run the command “gpresult /h report.html” to get a report of all your policies.
IP address problems
Check if the remote machine has a static or dynamic IP. You can use “ipconfig /all” via Windows Command Prompt.
Best practices for Remote Desktop access management
Limit RDP access
Follow the principle of least privilege (PoLP) to prevent any unauthorized RDP access. The fewer the users with RDP access, the smaller the attack surface.
Implement 2FA for security
Two-factor authentication (2FA) strengthens remote access security by adding an extra layer of protection.
Consistently update user access permissions
Regularly audit the Remote Desktop Users group so that you can remove accounts that no longer require access.
Not sure what IPConfig is? We’ve got you — hit Play!
Minimize RDP’s risks and potential attack vectors with NinjaOne Remote.
Easily and quickly manage Remote Desktop Users on Windows
Proactively configuring Remote Desktop Users minimizes the chance of a cyberattack, while also providing technicians with a simpler remote access user experience. Regularly check your Remote Desktop Users group membership to confirm that no unauthorized users have been added.
NinjaOne consolidates Windows endpoint management with remote access software into a single pane of glass, making it more efficient for IT teams and managed service providers (MSPs) to manage at scale. To give IT teams more flexibility, NinjaOne also offers seamless integration with industry-leading remote control tools.
Reduce your tech stack while increasing the visibility and control of your devices with NinjaOne. Get started with a free trial today.
Quick-Start Guide
NinjaOne provides several ways to manage Remote Desktop Users in Windows:
1. Scripted Management:
– There’s a script called “Modify Users Group Membership” that allows you to add or remove a user to a group in Active Directory or the local computer.
– Another script called “Create New Local User” can create a local user account and add it to the local admin group.
2. Remote Tools:
– NinjaOne offers Remote Tools that allow you to manage users and access devices without direct physical access.
– The Remote Registry tool can be used to modify user settings, though it has some limitations when running as a system-level account.
3. Active Directory Management:
– For domain-joined computers, NinjaOne supports Active Directory user management directly within the app.
– You can manage users, add/remove users from groups, and modify user permissions.
While these tools provide flexibility, the exact method for adding or removing Remote Desktop users might require a specific script or manual configuration. I recommend consulting with your NinjaOne administrator or support team for the most precise method tailored to your specific environment.
