How do I allow domain users RDP access to an EC2 Windows instance using group policy in AWS Managed Microsoft AD?
Last updated: 2020-12-14
My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance is joined to an AWS Directory Service for Microsoft Active Directory directory. I want to allow domain users Remote Desktop Protocol (RDP) access for the instance. When I try to connect using the built-in Remote Desktop Users group as a domain user, I receive the following message: "The connection was denied because the user account is not authorized for remote login." How can I fix this?
AWS Managed Microsoft AD doesn't allow you to add domain users to the built-in Remote Desktop Users domain group. Instead, you can use the built-in Admin account to create a Group Policy Object (GPO), and then apply the policy to the delegated computers.
Note: The GPO applies to all computers in the Organizational Unit (OU) that the policy is linked to. Any users that you add to the group using the following procedure will have RDP access to any computer in the OU.
Before you start:
- Join an EC2 Windows instance (Windows Server 2012 R2 or later) to a Simple AD or AWS Managed Microsoft AD directory.
- Install the Remote Server Administration Tools (RSAT) and Group Policy Management console on the instance.
To allow domain users RDP access to the domain joined Windows instances, follow these steps:
- Connect to your Windows EC2 instance using RDP.
- Create a user. Repeat this step if you need more than one user.
- Create a security group. Note the security group name for a later step.
- Add the new users to the new security group.
- Open Group Policy Management. Select your domain’s Forest, expand Domains, and then expand your domain name.
- Expand your delegated OU (NetBIOS name of the directory). Open the context (right-click) menu for Computers, and then choose Create a GPO in this domain, and Link it here.
- For Name, enter a name, and then choose Ok.
- In the navigation pane, expand Computers. Open the context (right-click) menu for the policy, and then choose Edit.
- In the Computer Configuration section of the navigation pane, expand Preferences, Control Panel Settings.
- Open the context (right-click) menu for Local Users and Groups, and then choose New, Local Group.
- For Group name, choose Remote Desktop Users (built-in), and then choose Add.
- For Name, enter the name of the security group that you created in step 3, and then choose Ok.
This policy updates your environment at the next policy refresh interval. To force the policy to apply immediately, run the gpupdate /force command on the target server.