How to enable remote desktop by using group policy

This is one of the requirement I came across when I got to know I’m stuck without a remote desktop to a server in their network when I wanted to troubleshoot an issue. I have already had the access to the DC thanks to a third party software but forgot to enable the remote desktop feature in the other servers! Sad smile

Anyway the answer I found it within the Group Policy by enabling 2 settings. I thought of sharing that information with you all.

always make sure your servers are group by creating necessary OU’s. This is not a rule but a best practice I follow, so it makes life easier. Once that part is completed go to the GPMC,

image

Make sure to highlight the correct OU and create a new GPO, in my case I’ve named it as “Remote access policy” after that edit the policy in the following settings,

Computer Configuration —> Administrative Templates —> Windows Components —> Terminal Services —> Terminal Server —> Connections and after that enable the GPO setting name as “ Allow users to connect remotely using Terminal services”

image

After that you need to enable an exception through the Windows firewall to allow the RDP connections. For that edit the GPO name as “ Allow inbound Remote Desktop exceptions” Path goes as follows,

Computer Configuration —> Administrative template —> Network —> Network Connections —> Windows Firewall —> Domain Profile

That’s all from the Group Policy side. After that you can await until Group Policy get refresh at the target machines side according to default time period. Well that time is between every 90 –120 minutes and we don’t want to wait that long rightSmile what we need to find out is a  way to refresh the group policy in the remote machines from our console. For that we have few ways we can execute the group policy in the remote machine. but now my focus will be going for two programs.  One is use a utility called “PsExec” developed by Mark Russinovich. You can download it from here.  This is as far as I concern one of the easiest method to do without any scripting.

Download the tool and extract it to the %systemroot% it’s much easier when you to the CMD typing.

image image

image image

Now switching back to the remote PC we can have a look into the GPO effectiveness,

image

And that is what I called “Happy Day Smile

Second method is by using a software called “SPECOPS GPUPDATE” developed by SPECOPS software company. the best thing is the above mention software utility is free. It directly integrate with the Active Directory and you can update the target OU’s within the ADCU console itself!

For this demonstration I went ahead and installed the software to the AD. This software requires Windows Power Shell and as well as .Net Framework. make sure you have open the necessary firewall ports as well.

imageimage

As you can see you can select “Gpupdate” and silently execute the Power Shell command or select the options called “ Specops Gpupdate” which open nice GUI. Under the GUI apart from executing the GPO’s you have few other options as well. Once you select the Gpupdate option you’ll be greeted with few screen and finally the progress screen,

image

As you can see both software offers flexibility for us to execute the GP update remotely to the network pc’s where as SPECOPS GPUPDATE has gone the extra mile to offer more features. If you need more features on the SPECOPS you can check on the SPECOPS GPUPDATE Pro version.

So next time when you’re stuck it’s always better to keep these 2 software in your toolbox.

Group Policy Central Store (Windows 2008)

With the introduction of Windows 2008 Microsoft redefined the concept of Group Policy Central store. Group Policy central store is a simply a central storage place to keep the administrative templates. In windows 2003 and XP age we have received many Administrative templates from Microsoft and other vendors, but the key question is where to store them. If we keep them in one server then the other server won’t be able to retrieve them.

With windows 2008 Microsoft introduce the concept on central storage. Now you can keep all the administrative templates in a central place and replicate between windows 2008 domain controllers. Windows 2008 and Vista natively support this but Windows 2003 and Windows XP don’t support it out of the box.

How it works is simply by checking if the templates available in a central place or not. If the machine couldn’t find templates in a central place it will load the template from machine local template section. So as you can see the functionality is very simple but still brings great flexibility J

So how to configure this? In the windows 2008 domain controller go to %SystemRoot%\SYSVOL\domain\Policies Create a folder called “Policy definitions”. Leave it as it is and then move to c:\windows\Policy Definitions and copy the contents in that folder and paste them to %System Root%\SYSVOL\domain\Policies

Once contents copied to the relevant folder go to GPMC and try to open a GPO. Upon opening expand Administrative Template. When you click that in the right hand pane you’ll be able to see “Administrative Templates: Policy Definitions (ADMX files) retrieved from central stores.

As a practice whenever you modify the GPO’s keep an eye of the locations where the GPO’s administrative getting loaded from. As you can see, keeping group policy templates in a central location can be a significant administrative issue for companies. However, Windows Server 2008 ability to create a central store for Administrative Templates have simplified the process and monitoring of the templates.

Windows 7 and Windows 2008 R2 complete Group Policy reference sheet is out!

Microsoft finally released the complete set of information which contains the Group Policy settings contains for Windows 7 and the Windows 2008 R2. This is a very comprehensive excel sheet. If you want to find about the nifty features and new improvements this is one sheet you need to have. Apart from that they have also added the Windows Vista, Windows 2008 SP2 as well. Complete list can be downloaded from Microsoft web site.

You can click here to download.