Configure Permissions for Remote Desktop Services Connections
Applies To: Windows Server 2008 R2
Remote Desktop Services permissions are used to control which users or groups can perform particular tasks on the RD Session Host server, such as logging on to the RD Session Host server or remotely controlling a user session. You can manage permissions on a per connection basis in Remote Desktop Session Host Configuration.
Note
To control who can connect remotely to the RD Session Host server, we recommend that you modify the Remote Desktop Users group. For more information about modifying the Remote Desktop Users group, see Configure the Remote Desktop Users Group.
The connection permissions that are set in Remote Desktop Session Host Configuration also determine the actions that a given user can perform in Remote Desktop Services Manager. For example, a user must have at least the Remote Control special access permission to remotely control a user session by using Remote Desktop Services Manager.
The following is a list of the permissions that you can set in Remote Desktop Session Host Configuration and the capability that each permission provides.
Permission | Capability |
---|---|
Query Information |
Query sessions and RD Session Host servers for information |
Set Information |
Configure properties of the connection |
Remote Control |
View or actively control another user's session |
Logon |
Log on to a session on the RD Session Host server |
Logoff |
Log off a user from a session |
Message |
Send a message to a user session |
Connect |
Connect to another user session |
Disconnect |
Disconnect a user session |
Virtual Channels |
Use a virtual channel in a session, which provides local device and resource redirection |
By default, the Remote Desktop Users group is assigned the following permissions: Query Information, Logon, and Connect.
There are three standard preconfigured sets of permissions:
Full Control
User Access
Guest Access
The following is a list of permissions that are associated with each of the standard preconfigured sets of permissions.
Permission set | Permissions assigned |
---|---|
Full Control |
Query Information, Set Information, Remote Control, Logon, Logoff, Message, Connect, Disconnect, Virtual Channels |
User Access |
Query Information, Logon, Connect |
Guest Access |
Logon |
Use the following procedure to configure permissions for a connection.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.
To configure permissions for a connection
On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
Under Connections, right-click the name of the connection, and then click Properties.
In the Properties dialog box for the connection, on the Security tab, configure the permissions as appropriate for your environment, and then click OK.
You can prevent administrators from changing the permissions for a connection by applying the Do not allow local administrators to customize permissions Group Policy setting. This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).
For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (https://go.microsoft.com/fwlink/?LinkId=138134).
For more information about Remote Desktop Services, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (https://go.microsoft.com/fwlink/?LinkId=138055).