How to configure the Remote Desktop Users group in Windows

Understanding RDP access requirements

If an admin wants to remotely manage a Windows-based machine, the easiest way to do this is using the Remote Desktop Protocol (RDP) feature that is built into the OS. RDP is available on most editions of Windows, including Windows Pro, Enterprise, Education and Windows Server editions.

To be able to access a machine, a user must have Remote Desktop enabled, and the firewall must allow RDP traffic. They also need a user account that is either an administrator account or part of the Remote Desktop Users group. By default, users who are a part of either of these groups will be authorized to log on remotely to the server.

The authentication mechanism differs depending on whether the target machine is joined to a domain, not joined to a domain or joined directly to Entra ID. If the machine is joined to a domain, the target machine also needs to be able to reach a domain controller to authenticate to the machine with that account.

Managing the Remote Desktop Users group

There are a few ways to manage access to remote desktop users. If an admin has local access to the machine, they can use the UI or PowerShell. This approach is the easiest for managing access on a per-machine basis.

To manage Remote Desktop Users group access with the UI, navigate to Start > Computer Management > Local Users and Groups > Groups. Next, select Remote Desktop Users and define the user or group that should receive access (Figure 1).

To manage access with PowerShell, type the following command in the PowerShell window:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member nameofaccount

It's also possible to create a group of IT admins and assign them to the Remote Desktop Users group on a selected collection of devices. To do this, use Microsoft Intune.

Open the Microsoft Intune admin center portal and navigate to Endpoint security > Account protection. From there, click Create Policy.

On the Create a profile page, choose Windows from the first drop-down menu and Local user group membership from the second drop-down menu (Figure 2). Then, click Create.

Specify a name for the policy, and go into configuration settings and select Remote Desktop Users from the drop-down menu under Local group. Select the users that should be added to the group, then specify any required scope tags and assign the policy to the appropriate group of devices (Figure 3).

Once this policy is deployed, it can take 30 to 60 minutes for it to be applied to the machines.

Managing RDP access for Azure VMs joined to Entra ID

The UI, PowerShell and Intune access management methods work for physical or on‑premises Windows machines. However, if the Windows machine is an Azure VM joined to Entra ID, RDP access requires an additional layer of authorization: Azure role-based access control (RBAC). Even if a user is in the Remote Desktop Users group, they might be unable to log on (Figure 4).

For machines that are running in Azure and are joined to Entra ID, IT must assign the appropriate Azure role.

The correct permissions must be configured in Microsoft Azure by assigning one of two roles to the VM. To do this, use Azure RBAC. Go to Virtual machine > Access control > Add role assignment. From there, select either Virtual Machine User Login or Virtual Machine Administrator Login for the user that needs access to the machine (Figure 5).

The Azure agent on the VM will then add the user as a remote desktop user or administrator on the target machine. This also ensures that RBAC is handled by Azure.

RDP access security considerations

Even after configuring who can access a machine through the Remote Desktop Users group, admins must ensure that access is secure. By default, RDP does not provide built-in multifactor authentication (MFA). This means that if a bad actor gains access to a user's credentials, they could use RDP to gain unauthorized access to the machine. In many ransomware attacks, for example, attackers use RDP as a method to gain access or move laterally inside the infrastructure.

Therefore, it's important for IT departments to implement additional security measures -- such as VPNs with MFA, or RDP gateways that enforce MFA -- to protect RDP connections.

IT should strictly limit access to only users and groups who require it for their job functions. This means regularly reviewing and auditing who has RDP access to machines and removing access for users who no longer need it. Admins can actively monitor RDP access using Windows Event Logs or a Security Information and Event Management (SIEM) platform such as Microsoft Sentinel. Active monitoring helps detect suspicious activity and potential security breaches.

When using any SIEM product, IT should look for the following event IDs:

• Event ID 4624: An account was successfully logged on. This signals a successful RDP logon. While normal, a high volume of successful logons from unusual IP addresses or at unusual times could indicate compromise. For RDP sessions, look for logon type 10.
• Event ID 4625: An account failed to log on. This signals a failed logon attempt. Frequent occurrences from a single source IP, especially with different usernames, can point to brute-force attacks. Analyze the Failure Reason and Sub Status codes for more details.
• Event ID 4634: An account was logged off. This event shows when an RDP session ends.
• Event ID 4776: The domain controller attempted to validate the credentials for an account. This event is relevant for domain-joined machines and indicates NT LAN Manager authentication attempts.
• Event ID 4870: Remote Desktop Services session reconnected. This event occurs when a user reconnects to an existing RDP session.
• Event ID 4871: Remote Desktop Services session disconnected. This event occurs when a user disconnects from an RDP session without logging off.

SIEM platforms like Microsoft Sentinel let IT create custom rules and alerts to correlate event IDs with other security data, such as geolocation information, threat intelligence feeds and user behavior analytics. This enables sophisticated detection of anomalies. Examples of RDP access anomalies include the following:

• Multiple failed RDP logon attempts followed by a successful one from a different IP address.
• RDP logons from countries or regions where the organization does not operate.
• Unusual RDP logon times for specific user accounts.
• Spikes in RDP activity that deviate from baseline behavior.

Regularly reviewing these logs and configuring appropriate alerts within the SIEM platform is vital for maintaining the security of the RDP infrastructure and detecting potential threats promptly.

Effective management of the Remote Desktop Users group is essential for controlling who can access Windows systems remotely. Whether access is configured locally, through Intune or through Azure RBAC, organizations must pair access management with strong security controls. Limiting RDP exposure, enforcing MFA and continuously monitoring logon activity are key steps in reducing risk. By combining proper group configuration with layered security, IT teams can maintain operational flexibility without expanding the attack surface.

Marius Sandbu is a cloud evangelist for Sopra Steria in Norway who mainly focuses on end-user computing and cloud-native technology.