Windows 7 / Networking

Configuring Remote Desktop Using Group Policy

You can also use Group Policy to manage some aspects of how Remote Desktop works. You can find the policy settings for managing Remote Desktop in two locations:

  • Per-computer policy settings can be found under Computer Configuration\Policies \Administrative Templates\Windows Components\Remote Desktop Services
  • Per-user policy settings can be found under User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services

Table below lists Group Policy settings that affect Remote Desktop. Policies that were introduced earlier in Windows Vista are marked with an asterisk (*), and policies that are new in Windows 7 are marked with two asterisks (**). (Additional policy settings found in these locations apply only to Remote Desktop Session Hosts or only when an RDC client is used to connect to a Remote Desktop Session Host.) If a computer and user policy setting are identical, the computer setting takes precedence if configured.

To use the Group Policy settings in this table, configure them in a GPO linked to an OU where the host computers (the computers that have Remote Desktop enabled) are located. For additional Group Policy settings that affect Remote Desktop, see the section titled "Enabling Remote Desktop Using Group Policy" earlier in this tutorial.

Note The folder layout of the Group Policy settings for Remote Desktop Services-under Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services and User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services-has been reorganized in Windows 7 for ease of discoverability, but the registry keys are still the same. All policy settings common to both Windows Vista and Windows XP, even if located under different folders, will still be applied to all computers in the targeted OU.

Group Policy Settings That Affect Remote Desktop

StrongPolicy SettingNotes
Remote Desktop Connection ClientDo Not Allow Passwords To Be SavedPrevents users from saving their credentials in the RDC client. Windows Vista saves the password using Credential Manager instead of saving it within the *.rdp file as in earlier versions of Windows.
Remote Desktop Session Host\ConnectionsAutomatic ReconnectionEnables RDC clients to attempt to automatically reconnect when underlying network connectivity is lost.
Allow Users To Connect Remotely Using Remote Desktop ServicesEnables Remote Desktop on the targeted computer.
Deny Logoff Of An Administrator Logged In To The Console SessionPrevents an administrator on the client computer from bumping an administrator off of the host computer
Remote Desktop Session Host\Device and Resource RedirectionAllow Audio And Video Playback RedirectionEnables redirection of the remote computer's audio and video output in a Remote Desktop session. (This policy was named Allow Audio Redirection in Windows Vista and earlier versions.)
Allow Audio Recording RedirectionEnables recording of audio to the remote computer during a Remote Desktop session.
**Limit Audio Playback QualityEnables limiting of audio quality to improve the performance of a Remote Desktop session over a slow link.
Do Not Allow Clipboard RedirectionPrevents sharing of a clipboard.
Do Not Allow COM Port RedirectionPrevents redirection of serial port devices.
Do Not Allow Drive RedirectionPrevents redirection of disk drive resources.
Do Not Allow LPT Port RedirectionPrevents redirection of parallel port devices.
*Do Not Allow Supported Plug And Play Device RedirectionPrevents redirection of supported PnP media players and digital cameras.
Do Not Allow Smart Card Device RedirectionPrevents redirection of smart card readers.
Remote Desktop Session Host\Printer RedirectionDo Not Set Default Client Printer To Be Default Printer In A SessionPrevents users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer.
Do Not Allow Client Printer RedirectionPrevents the client default printer from automatically being set as the default printer for the Remote Desktop session.
Remote Desktop Session Host\Remote Session EnvironmentLimit Maximum Color DepthEnables specifying a maximum color depth to improve performance of a Remote Desktop session over a slow link.
**Limit Maximum Display ResolutionEnables specifying a maximum display resolution to improve performance of a Remote Desktop session over a slow link.
**Limit Maximum Number Of MonitorsEnables specifying a maximum number of monitors to improve performance of a Remote Desktop session over a slow link.
**Optimize Visual Experience For Remote Desktop Services SessionsEnables optimizing the Remote Desktop session for either multimedia or text.
Enforce Removal Of Remote Desktop WallpaperPrevents wallpaper from being displayed in the Remote Desktop session.
Remove "Disconnect" Option From Shut Down DialogRemoves the Disconnect button from the Start menu but doesn't prevent the remote user from disconnecting the session using other methods.
Remote Desktop Session Host\SecuritySet Client Connection Encryption LevelSpecifies the level of encryption used to protect RDP traffic between the client and host computers. The options available are High (128-bit), Low (56-bit), and Client Compatible (highest encryption level supported by the client). When this policy setting is Not Configured, the default encryption level used is Client Compatible.
Always Prompt For Password Upon ConnectionRequires remote users to always enter a password to establish a Remote Desktop session with the targeted computer.
*Require Use Of Specific Security Layer For Remote (RDP) ConnectionsSpecifies whether the client should attempt to authenticate the host computer during establishment of the Remote Desktop session. The options available are:
  • DP, which means that no computerlevel authentication is required.
  • SSL (TLS 1.0), which means that the client tries to use Kerberos or certificates to authenticate the host computer; if this fails, the session is not established.
  • Negotiate, which first attempts to authenticate the host using Kerberos or certificates; if this fails, the session is still established.
When this policy setting is Not Configured, the default authentication method used is Negotiate.
*Require User Authentication For Remote Connections By Using Network Level Authentication
*Server Authentication Certificate TemplateRequires client computers to be running Windows Vista or Windows XP SP2 with the downloadable RDC 6.0 client installed. (This policy was named Require User Authentication Using RDP 6.0 For Remote Connections in Windows Vista and earlier versions.)
Remote Desktop Session Host\Session Time LimitsTerminate Session When Time Limits Are ReachedForcibly logs the remote user off of the Remote Desktop session when the session time limit has been reached.
Set Time Limit For Disconnected SessionsForcibly logs the remote user off of the Remote Desktop session when the session time limit for disconnected sessions has been reached.
Set Time Limit For Active But Idle Remote Desktop Services SessionsSpecifies a time limit for no activity in Remote Desktop sessions. When the time limit is reached, the session is disconnected, but the remote user is not logged off. If, however, the Terminate Session When Time Limits Are Reached policy is enabled, the user is disconnected and then forcibly logged off.
Set Time Limit For Active Remote Desktop Services SessionsSpecifies a time limit for Remote Desktop sessions. When the time limit is reached, the session is disconnected, but the remote user is not logged off. If, however, the Terminate Session When Time Limits Are Reached policy is enabled, the user is disconnected and then forcibly logged off
[Previous] [Contents] [Next]

In this tutorial:

  1. Connecting Remote Users and Networks
  2. Enhancements for Connecting Remote Users and Networks in Windows 7
  3. Understanding IKEv2
  4. Understanding MOBIKE
  5. Understanding VPN Reconnect
  6. Protocols and Features of VPN Reconnect
  7. How VPN Reconnect Works
  8. Understanding DirectAccess
  9. Benefits of DirectAccess
  10. How DirectAccess Works
  11. Windows 7 and Windows Server 2008 R2
  12. Ipv6
  13. IPsec
  14. Perimeter Firewall Exceptions
  15. Implementing DirectAccess
  16. Understanding BranchCache
  17. Benefits of BranchCache
  18. How BranchCache Works
  19. Protocols Supported by BranchCache
  20. Implementing BranchCache
  21. Supported Connection Types
  22. Outgoing Connection Types
  23. Incoming Connection Types
  24. Deprecated Connection Types
  25. Supported Tunneling Protocols
  26. Comparing the Different Tunneling Protocols
  27. Understanding Cryptographic Enhancements
  28. Support for AES
  29. Weak Cryptography Removal from PP TP/L2TP
  30. Supported Authentication Protocols
  31. Understanding the VPN Connection Negotiation Process
  32. Creating and Configuring VPN Connection
  33. Creating a VPN Connection
  34. Initiating a Connection
  35. Terminating a Connection
  36. Viewing Connection Details
  37. Configuring a VPN Connection
  38. Configuring Security Settings for a VPN Connection
  39. Configuring the Tunneling Protocol (s) Used
  40. Configuring Advanced Connection Settings
  41. Configuring the Data Encryption Level
  42. Configuring the Authentication Method Used
  43. Configuring Authentication for IKEv2 connections
  44. Configuring Mobility for IKEv2 Connections
  45. Configuring Dial-Up Connections
  46. Creating a Dial-Up Connection
  47. Advanced Connection Settings
  48. Configuring Incoming Connections
  49. Managing Connections Using Group Policy
  50. Using Remote Desktop
  51. Understanding Remote Desktop
  52. Versions of RDP
  53. RDP 6.1 Features and Enhancements
  54. RDP 7.0 new features and enhancements
  55. RemoteApp and Desktop Connection
  56. Understanding RDC
  57. Understanding Remote Desktop Services Terminology
  58. Configuring and Using Remote Desktop
  59. Enabling Remote Desktop and Authorizing Users on a Single Computer
  60. Enabling Remote Desktop Using Group Policy
  61. Configuring and Deploying Remote Desktop Connection
  62. Configuring Remote Desktop Connection from the Command Line
  63. Configuring Remote Desktop Connection Using Notepad
  64. Configuring Remote Desktop Using Group Policy
  65. Establishing a Remote Desktop Session
  66. Improving Remote Desktop Performance
  67. Troubleshooting Remote Desktop Sessions
  68. Configuring and Using RemoteApp and Desktop Connection