Enable remote desktop (RDP) connections for admins on Windows Server 2016

by Bharat Suneja

Windows Server 2016 has reached the General Availability (GA) milestone today. You can download it from your volume licensing site or MSDN. You can also create Azure VMs with Windows 2016.

The latest and greatest Windows Server has many new Remote Desktop features. See What’s New in Remote Desktop Services in Windows Server 2016 for the laundry list.

If you’re just trying to enable RDP for remote admin connections, here’s how to do it.

  1. Type SystemPropertiesRemote.exe in a command or PowerShell window.
  2. In the System Properties dialog, select Allow remote connections to this computer.
    Screenshot: System Properties - allow remote connections
    Figure 2: Allow remote desktop connections.

    Windows Server supports Network Level Authentication (NLA) for RDP connections. This forces the authentication to occur before the session begins. Without NLA, the RDP host presents the user logon screen when the RDP session starts. NLA is more secure.

  3. [Optional] Administrators have remote desktop access by default. If you want to allow RDP access to additional users, click Select users, select the users and then close the dialog box.
    Screenshot: Select users to allow RDP access
    Figure 3: Select users who should be allowed remote desktop connections

Enable Remote Desktop using PowerShell

Of course, many IT pros prefer PowerShell. In this case, I found running SystemPropertiesRemote.exe was faster, but PowerShell helps you automate these settings, for example, as part of unattended setup.

Here’s how you can enable Remote Desktop using PowerShell (credit to Samuel Yee, who has it documented here, saving me the trouble to fire up Process Monitor, one of the fine, and free, Windows SysInternals tools):

  1. Enable Remote Desktop connections

    Set-ItemProperty ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\‘ -Name “fDenyTSConnections” -Value 0

  2. Enable Network Level Authentication

    Set-ItemProperty ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\‘ -Name “UserAuthentication” -Value 1

  3. Enable Windows firewall rules to allow incoming RDP

    Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

There are scripts in the TechNet Script Gallery that’ll allow you to run this against a large number of computers and turn on any services required to automate this.

Update 12/13/2018:

You can use PowerShell to grant permissions to use Remote Desktop.  As noted earlier in this post, administrators can remote in by default. To provide non-admin users permission to use Remote Desktop, add them to the Remote Desktop Users local group.

Add-LocalGroupMember -Group "Remote Desktop Users" -Member foo

{ 2 comments… read them below or add one }

samba November 29, 2018 at 10:11 am

Hi Team,
The Article is nice. I got my required info.
If I want add user to remote desktop (Like you added bharat in third step) through powershell may i know what is option.

Thanks
Samba

Reply

Bharat Suneja December 12, 2018 at 7:57 pm

Admins can RDP by default. To provide non-admin users to use Remote Desktop, add them to the Remote Desktop Users local group.
Add-LocalGroupMember -Group "Remote Desktop Users" -Member foo

Reply

Leave a Comment

Previous post:

Next post: