Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
Security 
WindowsHow to Configure the Windows Remote Desktop Users Group
Windows Remote Desktop is one of the most powerful built-in features Microsoft has ever shipped. It lets administrators, support teams, and authorized users connect to and fully control a machine from anywhere in the world — without physically sitting in front of it. But with that power comes a critical responsibility: controlling who gets remote access and what they can do once connected.
Out of the box, Windows locks remote access down to Administrators only. That's a sensible default, but it creates a real-world problem: you don't always want to hand out admin credentials just to let someone log in remotely. That's exactly where the Remote Desktop Users Group comes in.
This guide walks you through everything you need to know — from understanding the group's purpose to enabling RDP, adding and removing users, and verifying access — so you can manage remote connectivity securely and efficiently.
What Is the Remote Desktop Users Group?
The Remote Desktop Users Group is a built-in local security group in Windows. Its sole purpose is to grant non-administrator accounts the right to establish a Remote Desktop Protocol (RDP) session with a machine.
Here's why this matters in practice:
- Without this group, only members of the local Administrators group can connect via RDP.
- With this group, you can give specific standard users remote access without elevating their privileges to full admin.
- This follows the principle of least privilege — a foundational concept in systems security that says users should have only the permissions they actually need.
Whether you're managing a single workstation or a fleet of servers, understanding and correctly configuring this group is a non-negotiable part of responsible system administration.
> Running a remote server? If you're managing a VPS Hosting environment, proper RDP user group configuration is especially critical since your server is exposed to the public internet.
Prerequisites
Before you begin, make sure you have the following in place:
- Local Administrator access on the machine you want to configure (you cannot modify local groups without it).
- The exact usernames of the accounts you want to add to the Remote Desktop Users Group.
- Remote Desktop enabled on the target machine (covered in Step 1 below).
- Network connectivity between the client machine and the target host, with TCP port 3389 open in the firewall.
Step 1: Enable Remote Desktop on the Target Machine
Before you can manage who connects via RDP, you need to confirm that Remote Desktop is actually turned on. Here's how:
Open System Properties
- Right-click This PC (or My Computer) on the desktop or in File Explorer.
- Select Properties.
Access Remote Settings
- In the left-hand panel, click Remote settings. This opens the System Properties dialog directly on the Remote tab.
Enable Remote Desktop
- Under the Remote Desktop section, select Allow remote connections to this computer.
- A prompt may appear warning you about firewall rules — click OK to allow Windows to automatically configure the firewall exception for RDP.
Network Level Authentication (NLA)
- You'll see a checkbox labeled Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).
- Leave this checked in most cases. NLA requires users to authenticate before a full RDP session is established, which significantly reduces the attack surface against brute-force and denial-of-service attacks.
- Uncheck it only if you need to support legacy clients that don't support NLA (Windows XP, older thin clients, etc.). This is a security trade-off and should be documented.
Apply the Changes
- Click Apply, then OK.
Remote Desktop is now active on this machine.
Step 2: Add Users to the Remote Desktop Users Group
With RDP enabled, you can now populate the Remote Desktop Users Group with the accounts that need access.
Method A: Using Computer Management (Recommended for Most Admins)
Open Computer Management:
- Right-click the Start button and select Computer Management.
- Alternatively, press Windows + R, type
compmgmt.msc, and press Enter.
Navigate to Local Users and Groups:
- In the left pane, expand Local Users and Groups.
- Click on Groups.
Open the Remote Desktop Users Group:
- In the center pane, locate and double-click on Remote Desktop Users. This opens the group's Properties window.
Add Users:
- Click the Add button.
- In the Select Users dialog box, type the username(s) of the accounts you want to add. For multiple users, separate names with a semicolon (
;). - Click Check Names to validate the entries against the local user database (or Active Directory if domain-joined).
- Click OK to confirm.
Save and Close:
- Click OK again to close the Remote Desktop Users Properties window.
The selected users now have RDP access to this machine.
Method B: Using PowerShell (Faster for Bulk Operations)
If you're managing multiple machines or want to automate this process, PowerShell is far more efficient.
Add a single user:
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username"Add a domain user:
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAINusername"View current group members:
Get-LocalGroupMember -Group "Remote Desktop Users"Remove a user:
Remove-LocalGroupMember -Group "Remote Desktop Users" -Member "username"PowerShell commands can be scripted and deployed via Group Policy or remote management tools, making them ideal for enterprise environments or when managing Dedicated Servers at scale.
Method C: Using the System Properties Shortcut
There's a faster path directly from the Remote settings dialog:
- Go back to System Properties → Remote tab.
- Click the Select Users… button at the bottom.
- This opens a simplified version of the same dialog, letting you add or remove users from the Remote Desktop Users Group without navigating through Computer Management.
Step 3: Verify That User Access Works
Configuration without verification is incomplete. After adding users to the group, confirm that the access actually works as expected.
Test the Connection
- On the client machine, press Windows + R, type
mstsc, and press Enter to launch Remote Desktop Connection. - Enter the IP address or hostname of the target machine.
- Click Connect.
- When prompted, enter the credentials of the newly added user (not an admin account).
What to Expect
- If everything is configured correctly, the user will authenticate and land on a remote desktop session.
- If the connection is refused, double-check:
- The user is actually in the Remote Desktop Users Group.
- Remote Desktop is enabled on the target machine.
- The Windows Firewall is allowing inbound connections on TCP port 3389.
- No Group Policy is overriding local RDP settings (common in domain environments).
Check the Windows Firewall Rule
Open Windows Defender Firewall with Advanced Security and confirm that the Remote Desktop – User Mode (TCP-In) rule is enabled and set to Allow the connection.
Step 4: Manage and Remove Users
Access management is an ongoing responsibility, not a one-time task. Users leave organizations, roles change, and access that was appropriate six months ago may be a security risk today.
Remove a User via Computer Management
- Open Computer Management (
compmgmt.msc). - Navigate to Local Users and Groups → Groups.
- Double-click Remote Desktop Users.
- Select the user account you want to remove.
- Click Remove.
- Click OK to save the changes.
Remove a User via PowerShell
Remove-LocalGroupMember -Group "Remote Desktop Users" -Member "username"Best Practices for Ongoing Access Management
| Practice | Why It Matters |
|---|---|
| Audit group membership quarterly | Catches stale accounts and former employees |
| Use Active Directory groups (if domain-joined) | Centralizes management across multiple machines |
| Enable RDP logging via Event Viewer | Provides an audit trail of who connected and when |
| Enforce strong password policies | Reduces risk from brute-force attacks on RDP |
| Consider MFA for RDP | Adds a critical second layer of authentication |
| Restrict RDP to specific IP ranges via firewall | Limits exposure to known, trusted networks only |
Advanced Considerations
Group Policy and Domain Environments
In an Active Directory domain, local group settings can be overridden by Group Policy Objects (GPOs). The relevant policy is located at:
Computer Configuration → Windows Settings → Security Settings →
Local Policies → User Rights Assignment → Allow log on through Remote Desktop ServicesIf users can't connect despite being in the local Remote Desktop Users Group, check whether a GPO is restricting or overriding this right at the domain level.
RDP Over a Secure Connection
Exposing port 3389 directly to the internet is a well-known security risk. Attackers actively scan for open RDP ports. Consider these hardening measures:
- Change the default RDP port from 3389 to a non-standard port.
- Use a VPN to tunnel RDP traffic rather than exposing it publicly.
- Deploy an RDP Gateway to broker and authenticate connections before they reach the target machine.
- Enable Account Lockout Policies to limit brute-force attempts.
> Hosting your own server? If you're running Windows on a VPS with cPanel or a managed Dedicated Server, AlexHost's infrastructure includes DDoS protection and network-level firewalling that adds an important first line of defense around your RDP endpoints.
Securing Your Server Environment Further
Remote Desktop configuration is just one layer of a comprehensive security posture. If you're running business-critical services on your server, consider pairing your RDP hardening with:
- A valid SSL Certificate for any web-facing services on the same host.
- Proper Domain Registration and DNS configuration so your server is reachable via a trusted hostname rather than a raw IP.
- Email Hosting separated from your primary server to reduce attack surface.
Troubleshooting Common RDP Issues
| Problem | Likely Cause | Solution |
|---|---|---|
| "Remote Desktop can't connect to the remote computer" | RDP not enabled or firewall blocking port 3389 | Enable RDP in System Properties; check firewall rules |
| "You don't have permission to log on" | User not in Remote Desktop Users Group | Add user via Computer Management or PowerShell |
| Connection drops immediately after login | NLA mismatch or licensing issue | Verify NLA settings match on client and server |
| "The remote session was disconnected" | RDP session limit reached | Check concurrent session limits in Group Policy |
| Slow or laggy remote session | Bandwidth or display settings | Reduce color depth and disable visual effects in RDP client settings |
Conclusion
Configuring the Windows Remote Desktop Users Group is a foundational skill for any systems administrator. Done correctly, it gives you precise, granular control over who can access a machine remotely — without handing out administrator credentials unnecessarily.
To recap the key steps:
- Enable Remote Desktop in System Properties and configure NLA appropriately.
- Add users to the Remote Desktop Users Group via Computer Management, PowerShell, or the System Properties shortcut.
- Verify access by testing a connection with the newly added user account.
- Manage access on an ongoing basis — remove users who no longer need access and audit group membership regularly.
Remote Desktop is an indispensable tool for remote management, IT support, and server administration. But like any powerful tool, it requires careful configuration and continuous oversight to remain secure.
Whether you're managing a single workstation or an entire infrastructure of VPS servers and dedicated machines, these principles apply universally. Build good habits now, and your remote access setup will be both productive and secure for the long term.