I need to be able to grant (and revoke) local, non-administrator users' access to a Windows 7 system in an automated fashion (i.e. not by using the System Properties control panel). Script, batch, registry file, or what have you is fine.
I had though this was as simple as adding the user to a "Remote Desktop" group (via, say, NET LOCALGROUPS
), but the systems don't seem to have one.
Any ideas?
To add the user jscott to the group Remote Desktop Users:
net localgroup "Remote Desktop Users" jscott /ADD
If you're in an Active Directory domain environment, you can simply add a domain group (e.g., "Desktop Remote Users", or the like) to the local Remote Desktop Users group. Have a look at Group Policy Restricted Groups to manage these memberships. You can then manage the members of the domain group without having to update the workstations.
If the local group is missing, you will need to recreate it and assign it permissions. Create the group
NET LOCALGROUP "Remote Desktop Users" /ADD
, then open the local security policy editorsecpol.msc
and grant the group "Allow log on though Remote Desktop Services". You can also do this via Group Policy in a domain environment.I would be curious to know how this group disappeared, if it was not just deleted. Perhaps another SF'er will know.
To change the security policy through the GUI following these steps : Click on the start button , control panels administrator tools, Computer management , "Local Users and Groups", Groups , Remote Desktop Users.
This window will list all the users that have remote access to the computer. If you dont see the username you want to use to login to the cmputer remotely , then click the "Add" button.
Next type the username. For domain users , be sure to include the domain in the username you add (ie if your domain is STUFF ) you'd enter STUFF\username. ( or just username if no domain ). Then click apply.