How to allow domain groups RDP access to Windows XP machines


This is an abbreviated primer to remind me of this common, yet difficult to find documented, procedure.

The problem: You have an Active Directory domain with groups of users on it that you want to allow to log into varies local machines through RDP.
You have tried to add the domain group to the local “Remote Desktop Users” group on a target terminal server, but you cannot do this through the Manage Computer MMC.

The solution: use the net command on the target machine like this:

net localgroup “Remote Desktop Users” “[YOUR DOMAIN]\[Domain group]” /add

Assuming you have RDP enabled on that machine, you should be able to RDP to it and use the credentials of a user in the domain group you just added to log in.

I know what you’re thinking: “why not just add the domain builtin group ‘Remote Desktop Users’ to the local group?” You cannot add domain builtins to the local groups. I think this has to do with the underlying LDAP schema of AD. The “net localgroup” command is looking the CN=Users sub-tree of AD, it seems. Put your OU or groups in there.

Of course, this solution makes you visit each target terminal server/desktop. You could script this with ssh or, more Windows-y, WMI, I think. You might even be able to do this stuff with Perl or python to visit all the machines too. There’s also a Group Policy manager from Microsoft that should make this easy to manage central, but I couldn’t get that software.