How to Configure Active Directory Users for Remote Desktop Access on Hyper-V VMs


2 views

When setting up Active Directory (AD) for the first time, one common challenge is enabling Remote Desktop Protocol (RDP) access for domain users. The error message "The connection was denied because the user account is not authorized for remote login" typically occurs when permissions aren't properly configured at both the AD and local machine levels.

First, ensure your AD group has the correct Group Policy Object (GPO) applied:

# PowerShell to check applied GPOs
Get-GPOReport -All -ReportType Html -Path "C:\temp\GPOReport.html"

Look for policies affecting "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment" where "Allow log on through Remote Desktop Services" should include your AD group.

There are two critical places to configure access:

  1. In Active Directory Users and Computers, add your security group to the "Remote Desktop Users" group
  2. On each target VM, modify the local security policy:
# Command to add AD group to local RDP permissions
net localgroup "Remote Desktop Users" "DOMAIN\YourGroup" /add

For enterprise environments, create a dedicated GPO:

# Create and link a new GPO
New-GPO -Name "RDP Access Policy" | New-GPLink -Target "OU=YourVMs,DC=domain,DC=com"

Then configure:

  • Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  • Add your AD group with "Member of" set to "Remote Desktop Users"

Ensure Windows Firewall allows RDP traffic (TCP 3389):

# PowerShell to enable RDP firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

If issues persist:

# Check effective permissions
whoami /priv
# Verify group membership
gpresult /r
# Test RDP connectivity
Test-NetConnection -ComputerName VM01 -Port 3389

For larger environments, consider:

  • Creating separate OUs for RDP-enabled VMs
  • Using security filtering to apply GPOs only to specific groups
  • Implementing Just-In-Time (JIT) access through Privileged Access Management solutions

When troubleshooting Remote Desktop access in Active Directory environments, it's crucial to understand the three-tier permission model:

  1. Active Directory Group Policy settings
  2. Local Group Policy on target machines
  3. Built-in Remote Desktop Users group membership

To properly enable domain users for RDP access across all your Hyper-V VMs:

1. Configure Group Policy for Domain-Wide Access

# PowerShell snippet to create and link GPO
Import-Module GroupPolicy
New-GPO -Name "RDP Access Policy" | New-GPLink -Target "dc=yourdomain,dc=com"

2. Set the Appropriate User Rights Assignment

Navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Modify both:

  • "Allow log on through Remote Desktop Services"
  • "Access this computer from the network"

3. Verify Firewall Rules

# Command to check enabled firewall rules
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object {$_.Enabled -eq "True"}

Permission Inheritance Issues

If changes aren't propagating:

gpupdate /force
# Or for remote computers:
Invoke-GPUpdate -Computer "VM01" -RandomDelayInMinutes 0 -Force

Nested Group Considerations

For nested AD groups, ensure:

# Check effective permissions
Test-NetConnection -ComputerName VM01 -CommonTCPPort RDP
Get-ADGroupMember "Your_RDP_Group" -Recursive | Select-Object Name

For VM-specific settings in Hyper-V:

# PowerShell to configure RDP for all Hyper-V VMs
Get-VM | ForEach-Object {
    Invoke-Command -VMName $_.Name -ScriptBlock {
        Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAIN\Your_RDP_Group"
    }
}
  • Verify DNS resolution between client and server
  • Check account lockout status in AD
  • Review Security event logs (Event ID 25, 4625)
  • Test with basic user account (non-nested group)