How and what Group Policy can I apply via the DC that allows the Domain\Admins to access any of the Machines PCs & Servers within the domain via the LAN or Internet/ Remote connection?
Asked
Active
Viewed 807 times
-2
-
Please augment your question to make it clear in the text that you are referring to logon for Domain Admins via Remote Desktop Services. – Cosmic Ossifrage Jun 09 '16 at 11:37
1 Answers
0
The local Administrators group will by default have logon access via remote desktop services. As the Domain Admins group is added to the local Administrators group by default when a computer is joined to the domain, members of Domain Admins have these access rights by default.
You can use Restricted Groups policies to enforce the addition of the Domain Admins group to the local Administrators group if you see this necessary.
Similarly, there are dedicated Remote Desktop Users groups on each machine which can be used to achieve a similar purpose, without granting administrative rights to the named users. This is useful for non-admin users to be granted remote logon rights, and could be set on a domain-wide basis using a restricted groups policy, or individually on particular workstations if users do not require global access to all machines. (Do not use the built-in group in your domain by the same name, which exists for a different purpose.)
The permissions above address the crux of your question regarding granting access. However, you will still need to ensure remote logon is enabled on the workstation concerned, to ensure it responds to inbound RDP connection requests.
Similarly, you can configure this on an individual workstation basis (Control Panel, System, Remote) or enforce a policy domain-wide using Group Policy. RDP is not enabled on Windows machines by default.
To access the machines with RDP now enabled, you need to make the relevant network arrangements to gain access to them over port 3389. On an internal LAN segment with working internal DNS, you will be able to do this by default, assuming no firewalls are in the way. If firewalls are present, ensure their access control list is appropriately configured.
From the internet, you will need to expose the machines over port 3389, using whatever method is applicable to your network topology (e.g. NAT, ACLs, etc.).
I would not be a strong advocate of publishing all your machines over port 3389 to the internet at large. I would recommend using either a VPN solution or otherwise deploying a single endpoint for external connections via a forward-facing Remote Desktop Gateway. Do take care over any licensing implications this may have.
Summary: you require both the permissions to be in order, and the remote desktop functions to be enabled, before you can remotely log in over RDP to these machines. Your permissions may already be in order for Domain Admin users, but RDP will still need to be enabled. Network level access to the machines must be arranged; the specific details of how to do that are beyond the scope of this question.
Cosmic Ossifrage
- 1,640
- 14
- 23