-->
- Windows 10 Pro Multi User Remote Desktop On Windows 7
- Windows 10 (pro) Multiple Remote Desktop (rdp)
- Windows 10 Professional Remote Desktop
Applies to
Windows 10; Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. For instance, you want simultaneous 2 Remote Desktop connections for Administrator user. This can be achieved by setting up the Terminal Server settings in the Windows registry editor. Below is the step by step guide to perform the registry changes to allow multiple RDP sessions for the single user. Login to your server via Remote Desktop.
Remote desktop is just a single desktop not multiple desktops. IF you want this capability you have to use Remote desktop services but that requires Windows Server and and not Windows 10 but that's pretty extreme. Mar 18, 2019 Suppose, you want to connect from a server running Windows Server 2012 R2 to the desktop of a user working locally on a workstation running Windows 10 Pro. In order to establish shadow connection to a user session, you must use the standard RDP tool mstsc.exe.
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
Reference
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
Constant: SeRemoteInteractiveLogonRight
Possible values
- User-defined list of accounts
- Not Defined
Best practices
- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.
Location
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
Default values
By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
|---|---|
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Domain Controller Local Security Policy | Administrators |
| Stand-Alone Server Default Settings | Administrators Remote Desktop Users |
| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators Remote Desktop Users |
Policy management
This section describes different features and tools available to help you manage this policy.
Group Policy
To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the Allow log on through Remote Desktop Services right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.
To exclude users or groups, you can assign the Deny log on through Remote Desktop Services user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the Allow log on through Remote Desktop Services user right.
For more information, see Deny log on through Remote Desktop Services.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
- Local policy settings
- Site policy settings
- Domain policy settings
- OU policy settings
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
Countermeasure
For domain controllers, assign the Allow log on through Remote Desktop Services user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
Caution: For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
Alternatively, you can assign the Deny log on through Remote Desktop Services user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the Deny log on through Remote Desktop Services user right.
Potential impact
Removal of the Allow log on through Remote Desktop Services user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
Related topics
This blog post introduces Windows 10 Enterprise multi-session as a new Remote Desktop Session Host (RDSH) exclusively for Windows Virtual Desktop. It also provides step-by-step instructions on how to create a Windows 10 multi-session template from the Parallels® Remote Application Server (RAS) Console.
In addition to supporting multiple concurrent interactive sessions, there are additional differences between Windows 10 Enterprise multi-session and other Windows 10 single-session versions. The main features of Windows 10 Enterprise multi-session are listed below:
- Availability and support: Windows 10 Enterprise multi-session can be found in the Azure Gallery, and it is available through the Azure Windows Virtual Desktop service and from the Parallels RAS Console, which is able to read the marketplace images. Microsoft does not support it on non-Azure deployments.
- License eligibility: An eligible Windows or Microsoft 365 license provides access to Windows 10 Enterprise desktops and applications. Organizations can use existing per-user Windows licensing instead of Remote Desktop Services (RDS) Client Access Licenses (CALs). View a full list of applicable licenses.
- Session limits: There are no limits regarding how many interactive sessions can be active over a host simultaneously. This number will be estimated by administrators analyzing the host’s resources as well as the system’s workload, which is generated by the applications running concurrently.
- Compatibility: It reports Windows Server as ProductType, meaning that this OS is compatible with management tools, OS optimizations and applications that have already been used for RDSH environments.
- Profiles: Microsoft recommends the use of FSLogix Profile Containers when using this OS in non-persistent environments that need a centrally stored profile.
Enable Windows Virtual Desktop Integration in Parallels RAS
Parallels RAS extends and enriches Windows Virtual Desktop capabilities by integrating all virtual workloads and resources centrally. However, Windows Virtual Desktop integration is not enabled by default. To enable it from the Parallels RAS Console, follow the subsequent steps:
1. Navigate to Farm > Site > Settings, select the Features tab and locate the Windows Virtual Desktop section at the bottom of the page.
2. Check the Enable WVD management checkbox.
3. Click Download to get the current version of WVD Agent and BootLoader, saving them on either the Publishing Agent or a Network share. Once both are downloaded successfully, Status is marked as Available and the Current Version is displayed, as shown in the screenshot above.
4. The Client feature set selection specifies which client features will be available when a published resource in Parallels Client is opened.
Windows 10 Pro Multi User Remote Desktop On Windows 7
Prior to creating a Windows 10 multi-session template, administrators must configure the connection between their Parallels RAS setup and an Azure Subscription by adding a new Windows Virtual Desktop provider. A Microsoft Azure Tenant ID, Subscription ID, Application ID, and a secret key need to be provided.
Windows 10 (pro) Multiple Remote Desktop (rdp)
Once the provider has been added, navigate to Farm > Site > Windows Virtual Desktop, select the Templates tab and click (+) to open the Create Parallels Template Wizard.
1. On the first page, select Windows Virtual Desktop as the Provider and choose Multi-session as the Template Type. Then, click Next.
2. On the Template Source page, select any of the available Windows 10 Enterprise multi-session versions from the Azure Gallery window. Enter the credentials for the Local administration account. Click >Next.
The Custom host option for Source displays a list of pre-created virtual machines, which can also be Windows 10 multi-session, whereas the Browse all images button opens a dialog to choose any other image from the Marketplace or Shared Image Gallery.
Windows 10 Professional Remote Desktop
3. On the Properties page, complete the following fields as needed: Template Name, Number of hosts to deploy on wizard completion, Maximum number of hosts, Create an availability set, and Host prefix. Then click Next.
4. On the Settings page, specify the values for the Keep available buffer, Host power state after the preparation, and Delete unused hosts after fields. Click Next.
5. On the Hosts page, select virtual machine properties from the predefined Azure values for Resource Group, VM Size, OS disk type, Virtual network and Subnet. Then click Next.
6. Select the Optimization settings. By default, these settings are inherited from Site defaults, but custom settings can also be specified.
7. On the Preparation page, select an imagepreparation tool and specify the required options.
8. On the Summary page, review all the defined settings and click on the Finish button to create the template.
Once a template has been created, it can be assigned to a host pool either when the pool is created or by editing the properties of a previously created host pool.
1. The Provisioning step of the Add Windows Virtual Desktop Host Pool wizard allows administrators to choose Template as a provisioning type. If this method is selected, a template can be chosen from the list of already existing templates.
To view and modify the properties of an existing host pool, navigate to Farm > Site > Windows Virtual Desktop, select the Host pools tab and locate the host pool to be modified. Right-click on it and choose Properties. In the dialog box that opens (shown below), select the Autoscale tab, and choose a template through the Select Template drop-down menu.
2. The next steps would be to publish Windows Virtual Desktop resources, applications or desktops, and configure user assignment and filtering rules. Once this process has been carried out, entitled users will be able to access a Windows 10 multi-session desktop from their Parallels Client.
3. To view and manage Windows Virtual Desktop sessions, navigate to Farm > Site > Windows Virtual Desktop and select the Sessions tab. Sessions from all hosts in all host pools are displayed in the list.
Note that Parallels RAS allows for centrally managed end-user sessions running over Windows Virtual Desktop session hosts, including different task execution such as Disconnect, Log off, Remote control or Show processes. The Show information option opens an information dialog where session properties are grouped by functionality.
Support Various Cloud Deployment Options with Parallels RAS
Parallels RAS supports hybrid and cloud models, providing enterprises the flexibility to leverage these alternatives according to their technological and economic requirements. By using Parallels RAS, organizations can build the desktop and application delivery solution that best fits their needs. This can be achieved by combining the use of RDSH, VDI and Windows Virtual Desktop workloads and optimizing costs with a superior management experience from a single administration point. A fully functional, 30-day trial version of Parallels RAS can be deployed from the Microsoft Azure and Amazon AWS marketplaces.
Sources: https://www.parallels.com/blogs/ras/remote-desktop-multiple-users-windows-10/