How do I use group policy in AWS Managed Microsoft AD or Simple AD to allow domain users RDP access to an EC2 Windows instance?

3 minute read

My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance is joined to AWS Directory Service for Microsoft Active Directory or Simple Active Directory (Simple AD). I want to allow domain users Remote Desktop Protocol (RDP) access for the instance. When I try to use the built-in Remote Desktop Users group as a domain user to connect, I receive the following message: "The connection was denied because the user account is not authorized for remote login."

Short description

AWS Managed Microsoft AD and Simple AD don't allow you to add domain users to the built-in Remote Desktop Users domain group. Instead, use the built-in Admin account to create a Group Policy Object (GPO), and then apply the policy to the delegated computers.

Note: The GPO applies to all computers in the organizational unit (OU) that the policy is linked to. If you use the following procedure to add a user to the group, then the user has RDP access to any computer in the OU.

Resolution

Prerequisite:

Join an EC2 Windows instance (Windows Server 2012 R2 or later) to a Simple AD or AWS Managed Microsoft AD directory.
Install the Active Directory tools on the instance.

Allow domain users RDP access to an EC2 Windows instance

To allow domain users RDP access to the domain joined Windows instances, complete the following steps:

Use RDP to connect to your Windows EC2 instance.
Create a user. If you need more than one user, then repeat this step.
Create a security group. Note the security group name for a later step.
Add the new users to the new security group.
Open Group Policy Management. Select your domain's Forest, expand Domains, and then expand your domain name.
Expand your delegated OU, the NetBIOS name of the directory. Open the context menu for Computers, and then choose Create a GPO in this domain, and Link it here.
For Name, enter a name, and then choose Ok.
In the navigation pane, expand Computers. Open the context menu for the policy, and then choose Edit.
In the navigation pane, under Computer Configuration, expand Preferences, and then expand Control Panel Settings.
Open the context menu for Local Users and Groups.
Choose New, and then choose Local Group.
For Group name, choose Remote Desktop Users (built-in), and then choose Add.
For Name, enter the name of the security group that you created, and then choose OK. Or, open the context menu, enter the security group name, and then choose Check names.
Choose OK.

The policy updates your environment at the next policy refresh interval. To force the policy to apply immediately, run the gpupdate /force command on the target server.

Related information

AWS Managed Microsoft AD

Simple AD

Manage users and groups in AWS Managed Microsoft AD

Topics

Security, Identity, & Compliance

Relevant content

Find old Forum Thread ID for migrating our Simple AD to a new AWS Managed Microsoft AD
MrPRSTO
asked 2 years ago
Is there a way to migrate directory services from Simple AD to AWS Managed Microsoft AD?
Alexander JP
asked 2 years ago
Joining an AWS Managed Microsoft AD to an existing domain
Accepted Answer
janusbarinan
asked 3 years ago
Can new ADMX Policy Template be imported to Simple AD or Managed AD?
Accepted Answer
Iaac
asked 3 years ago
AWS MANAGED MICROSOFT AD
AWS-User-0765722
asked 2 years ago
Can I use AWS Managed Microsoft AD to authenticate users in QuickSight?
AWS OFFICIALUpdated 2 months ago
How do I create a trust relationship between AWS Managed Microsoft AD and my existing on-premises AD domain?
AWS OFFICIALUpdated a year ago
How can I manage an AWS Managed Microsoft AD or Simple AD directory from an Amazon EC2 Windows instance?
AWS OFFICIALUpdated 2 years ago
How do I synchronize time between Windows domain-joined instances and AWS Managed Microsoft AD?
AWS OFFICIALUpdated 6 months ago
Microsoft Licensing on AWS
EXPERT
Gayathri Krishnamoorthy
published a year ago