Remote Desktop Services permissions are used to control which users or groups can perform particular tasks on the RD Session Host server, such as logging on to the RD Session Host server or remotely controlling a user session. You can manage permissions on a per connection basis in Remote Desktop Session Host Configuration.

Note

To control who can connect remotely to the RD Session Host server, we recommend that you modify the Remote Desktop Users group. For more information about modifying the Remote Desktop Users group, see Configure the Remote Desktop Users Group.

The connection permissions that are set in Remote Desktop Session Host Configuration also determine the actions that a given user can perform in Remote Desktop Services Manager. For example, a user must have at least the Remote Control special access permission to remotely control a user session by using Remote Desktop Services Manager.

The following is a list of the permissions that you can set in Remote Desktop Session Host Configuration and the capability that each permission provides.

Permission Capability

Query Information

Query sessions and RD Session Host servers for information

Set Information

Configure properties of the connection

Remote Control

View or actively control another user's session

Logon

Log on to a session on the RD Session Host server

Logoff

Log off a user from a session

Message

Send a message to a user session

Connect

Connect to another user session

Disconnect

Disconnect a user session

Virtual Channels

Use a virtual channel in a session, which provides local device and resource redirection

By default, the Remote Desktop Users group is assigned the following permissions: Query Information, Logon, and Connect.

There are three standard preconfigured sets of permissions:

  • Full Control

  • User Access

  • Guest Access

The following is a list of permissions that are associated with each of the standard preconfigured sets of permissions.

Permission set Permissions assigned

Full Control

Query Information, Set Information, Remote Control, Logon, Logoff, Message, Connect, Disconnect, Virtual Channels

User Access

Query Information, Logon, Connect

Guest Access

Logon

Use the following procedure to configure permissions for a connection.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To configure permissions for a connection
  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.

  2. Under Connections, right-click the name of the connection, and then click Properties.

  3. In the Properties dialog box for the connection, on the Security tab, configure the permissions as appropriate for your environment, and then click OK.

You can prevent administrators from changing the permissions for a connection by applying the Do not allow local administrators to customize permissions Group Policy setting. This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (https://go.microsoft.com/fwlink/?LinkId=138134).

For more information about Remote Desktop Services, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (https://go.microsoft.com/fwlink/?LinkId=138055).


Table Of Contents