How to enable remote desktop by using group policy

This is one of the requirement I came across when I got to know I’m stuck without a remote desktop to a server in their network when I wanted to troubleshoot an issue. I have already had the access to the DC thanks to a third party software but forgot to enable the remote desktop feature in the other servers! Sad smile

Anyway the answer I found it within the Group Policy by enabling 2 settings. I thought of sharing that information with you all.

always make sure your servers are group by creating necessary OU’s. This is not a rule but a best practice I follow, so it makes life easier. Once that part is completed go to the GPMC,


Make sure to highlight the correct OU and create a new GPO, in my case I’ve named it as “Remote access policy” after that edit the policy in the following settings,

Computer Configuration —> Administrative Templates —> Windows Components —> Terminal Services —> Terminal Server —> Connections and after that enable the GPO setting name as “ Allow users to connect remotely using Terminal services”


After that you need to enable an exception through the Windows firewall to allow the RDP connections. For that edit the GPO name as “ Allow inbound Remote Desktop exceptions” Path goes as follows,

Computer Configuration —> Administrative template —> Network —> Network Connections —> Windows Firewall —> Domain Profile

That’s all from the Group Policy side. After that you can await until Group Policy get refresh at the target machines side according to default time period. Well that time is between every 90 –120 minutes and we don’t want to wait that long rightSmile what we need to find out is a  way to refresh the group policy in the remote machines from our console. For that we have few ways we can execute the group policy in the remote machine. but now my focus will be going for two programs.  One is use a utility called “PsExec” developed by Mark Russinovich. You can download it from here.  This is as far as I concern one of the easiest method to do without any scripting.

Download the tool and extract it to the %systemroot% it’s much easier when you to the CMD typing.

image image

image image

Now switching back to the remote PC we can have a look into the GPO effectiveness,


And that is what I called “Happy Day Smile

Second method is by using a software called “SPECOPS GPUPDATE” developed by SPECOPS software company. the best thing is the above mention software utility is free. It directly integrate with the Active Directory and you can update the target OU’s within the ADCU console itself!

For this demonstration I went ahead and installed the software to the AD. This software requires Windows Power Shell and as well as .Net Framework. make sure you have open the necessary firewall ports as well.


As you can see you can select “Gpupdate” and silently execute the Power Shell command or select the options called “ Specops Gpupdate” which open nice GUI. Under the GUI apart from executing the GPO’s you have few other options as well. Once you select the Gpupdate option you’ll be greeted with few screen and finally the progress screen,


As you can see both software offers flexibility for us to execute the GP update remotely to the network pc’s where as SPECOPS GPUPDATE has gone the extra mile to offer more features. If you need more features on the SPECOPS you can check on the SPECOPS GPUPDATE Pro version.

So next time when you’re stuck it’s always better to keep these 2 software in your toolbox.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.