Home Remote Desktop

Trusted Domain users to RDP session

Can users from a Trusted Domain authenticate on a Remote Desktop connection in a different, trusting domain? Can it be done? Yes.

So, after some painful back and forth, it can be done, but its not totally secure, and it can be quite the hassle.

  1. Requires Two-Way domain trust, which is not as secure as a one-way, limited trust,
  2. The RDP broker must be able to talk to the Trusted DC and the Trusted DC must be able to talk to the Trusting RDP broker as well as the Trusting DC
  3. Domain Local group on the Trusting domain that has a group from the Trusted domain as a member.
  4. NPS on the Gateway must be set to allow the Trusted domain user group. (May not be required on environments without a gateway)

Assuming you can set up a Two-Way domain trust – maybe even set up as Select – so, not covering that here. On the Trusting domain (the one with the RDP server), you will need to set up a Domain Local security group:

That has the Trusted domain’s group as a member:

On the broker/gateway, in NPS, right click on the NPS (local) and if Register server in Active Directory is bold, click it to register in active directory.

In the Network Policies, RDG_CAP_AllUsers, Conditions, User Groups, you need to add the Trusted domain’s user group and the domain local group (just in case).

In the collection(s), you can add the Domain Local group, or groups, to the User Groups assigned to that collection:

Now, users in the group from the Trusted domain, who are in the Domain Local group, can authenticate to an RDP session in the Trusting domain, as long as the firewall or VPN, etc allows the RDP connection broker to reach the Trusted DC and vice versa.

To sum up:

  • Two-Way Domain Trust: Establish a two-way domain trust between the trusting and trusted domains. This facilitates communication between the RDP broker/gateway and the trusted domain’s domain controller.
  • Communication Channels: Ensure that communication channels are open bidirectionally between the RDP broker/gateway and the Trusted DC, as well as between the Trusted DC and the Trusting RDP broker and DC. Verify there are no network restrictions impeding this communication.
  • Domain Local Group Creation: Create a Domain Local group on the Trusting domain, adding a group from the Trusted domain as a member. This allows users from the Trusted domain to be granted access permissions within the Trusting domain.
  • NPS Configuration: In the Network Policy Server (NPS) on the RDP broker/gateway:
    • Register the server in Active Directory.
    • Configure the RDG_CAP_AllUsers network policy:
      • In Conditions, under User Groups, add the Trusted domain’s user group and the Domain Local group.
      • In collections, assign the Domain Local group(s) to the User Groups associated with the collection.
  • Active Directory Registration: Ensure the RDP broker/gateway is properly registered in Active Directory, which is vital for its integration with NPS.
  • Firewall/VPN Configuration: Confirm that firewall or VPN settings allow the RDP connection broker to communicate with the Trusted DC and vice versa. This ensures seamless authentication for Trusted domain users accessing RDP sessions in the Trusting domain.

By meticulously following these steps, users from the Trusted domain who are members of the Domain Local group can successfully authenticate to RDP sessions in the Trusting domain. However, it’s crucial to monitor and maintain the setup’s security to mitigate potential risks.

Users can’t see on RDP Session

Sometimes we have a larger resolution on an RDP server and users complain they can’t see – or, just a couple users complain and everyone else thinks it is fine. Here are some methods to Magnify an RDP session, Make Text Bigger on the RDP session or, increase the scaling directly from the Remote Desktop Session’s .RDP file.

Using Magnifier on RDP session

First, lets change the settings on Magnifier, because it starts at 100% increments and that can just look ugly.  Start button and type “mag” should bring up the following.

There is a drop-down to pick the zoom level increments – pick 10% to start with

The directions on this page tell you how to use it.  (Ignore make everything bigger)

You can now turn on the Magnifier by pressing the Windows logo key on the keyboard, then the Plus Sign.

To turn the magnifier off, hold down the Windows Logo key and press ESC key.

Adjust Font Size on Remote Desktop session:

Click start or the Search in the lower left corner of the screen and type “Make Text Size Bigger” (may not have to type the whole thing)

Click on the Make text size bigger (system settings)

Drag the slider bar to the size you need, then click Apply

Adjusting the Text of the .RDP file

This is the last effort if neither of the above work properly, because it involves editing the .RDP using Notepad++ – or Notepad, if you don’t like better programs.

You will need the .RDP file you use to connect – or you can Save As on the Remote Desktop and save that to the local desktop.

You will need to right click and Edit with Notepad++, or select Open With – then choose Notepad

You may need to choose another app, then More Apps and scroll down to find Notepad, then click OK.

When open in Notepad++ (or Notepad), you will see a lot of text.  Scroll down to the bottom.

Add the following at the bottom:
desktopscalefactor:i:125
devicescalefactor:i:125

You can adjust these numbers, but I think 125% is good to start with.

While this is open, we can also make some performance improvements! Let’s find :

redirectsmartcards:i:1 and change the 1 to a 0 (zero). So it would be:

redirectsmartcards:i:0

And you may want to change the session bpp:i: – I suggest:
session bpp:i:24

Now, save and close Notepad++ (or Notepad).

Use the .RDP file to connect to your session.