Remotely add a domian user to the local machines remote desktop group (win7)
So here’s another problem that I’ve run into at work, that I just wasn’t able to find a good resource to answer, so I’ll go ahead and post my workaround so that it might help someone, or myself sometime later.
Let me first explain the problem I was running into so that you get an idea of why and how this happened.
I work for a managed service provider, and we were just getting ready to migrate them away from their old POP3 email to office365′s hosted exchange server, and at the same time we were replacing about 20 pc’s.
The computers were built in house, and most of the work, adding updates, software, users, and enabling remote desktop etc was done locally before the computers got delivered to the remote offices as well.
The computers were delivered, and installed, and everything was going fine, their old email was setup in outlook, and they were able to connect to the main remote desktop server running a few select pieces of software just fine. Sweet!
A week goes by and it’s time to start making sure all of my ducks are in a row before pushing out the new settings for outlook to connect to the new email service, so I tried to use remote desktop (RDP herein) just to test it out. I get an error along the line’s of:
To log on to this computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right…
Now first, understand I was logged in as a domain admin. This error was definitely unexpected.
I try logging in as the local machine’s admin account, and get the same error message. Now I’m starting to get worried, these remote offices are not exactly close, and I really don’t want to spend the next 2 days running all over the place to add the user to the local machines Remote Desktop Users group, but it’s starting to look like that’s what’s going to have to be done, as I can’t just call the end-user, give them the local admin’s login info, then have them start a teamviewer session so that I can add the users to the local RDP group.
But wait! Now I remember, there’s a “Run As” option in windows!
We’re going to need some kind of remote access to the machine to get this configured so I call the user, have them run the teamviewer quick support app (No I don’t get paid by them I just really love the service!) while still logged in as the domain user.
Then here’s the workaround.
Click the start button, type in powershell, but DONT click it yet!
Hold down “Shift” then right-click it. You should see an option for “Run As a different user”
Then you will get a login prompt!
Sweet! Go ahead and enter in your cred’s.
This will open a powershell prompt as the user you just entered the creds for (in my case the domain admin). Neat! Now I just need to open the local machines user and groups settings to add the users. Type in “lusrmgr”.
This will open a window I hope your familiar with,
Now you should be able to add users the same way you usually do! Nice!
If you need a hand actually adding the users to the RDP group, I’ll go ahead and finish walking you through adding a user, but for everyone else, you should be good to go! Enjoy!
To add someone to the RDP group, first click Groups in the left side window (1) in the Local Users and Groups window, then in the main window section, double-click Remote Desktop Users (2).
From this next window, Click Add:
This will open up another window, if you already know the name’s go ahead and start typing them in, click “Check names”(1) and “OK” this will add a user, I don’t usually know all the name’s so I go this route:
Click “Advanced…” (2)
Then hit the “Find Now” button to populate the list with all of the members and groups of your domain (I’ve already done this in the following picture).
Select all of the users and groups you want added and click “OK” and viola! They’ve now been added to the local machines Remote Desktop Users group, remotely, and without giving up the admin’s account info to the end-user! Yea! You should now be able to login as the users you selected to that machine, and can disconnect your teamviewer session, and continue administering that machine via RDP like you wanted to before.
Also a side note, I don’t believe that Windows XP had the command “lusrmgr” so you might need some tweaking of this to make it work for you. But then again, it’s time to upgrade if you’re still using XP anyways, End of life support for XP is April 8, 2014 just in case you needed to start thinking of that!