Ensuring that Remote Desktop is enabled (or disabled) centrally through Group Policy is the way to go for Windows Servers. IT pro Rick Vanover shows how in this tip.
Any time I can set something to be centrally managed, I’ll do it. Group Policy is the best way to do that for Windows Servers, and we can configure Remote Desktop within Group Policy. The good news is that it is really easy to deploy for a computer account, and can be done centrally with a Group Policy Object that applies to computer accounts.Within Group Policy, navigate to the Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Session Host | Connections section of Group Policy; here, you can set the “Allow users to connect remotely using Remote Desktop Services” value to be enabled. This configuration is shown in Figure A below: Figure A
Click image for larger view
For scaling reasons, we have a few ways on how this GPO can be pushed to server computer accounts. We can push it to the entire domain, an organizational unit (OU), or simply a security group. I prefer the security group deployment mechanism. This is done through GPO filtering, which is explained in this blog post. Applying it to an entire domain is not really a good idea, but a designated OU can make sense, depending on the granularity of the OU. The smallest Active Directory environments can deploy via OU, but larger environments should consider putting the computer account in a security group that has the GPO filtered to it.
Additional options for how Remote Desktop will behave can be configured in this area of Group Policy. This includes the ability to disable indirect file transfer through drive redirection, designate licensing servers, or specify how many connections will be permitted on the server.
Have you deployed Remote Desktop configuration centrally through Group Policy? What additional settings have you deployed? Share your comments below.