Articles on: Secure RDP

How to configure RDP settings via GPO


How to configure RDP settings via GPO


TruGrid SecureRDP has a ZERO TRUST feature that is enabled by default for every domain. With this feature enabled, all RDP redirections (printers, drives, etc.) between end user and remote desktops are blocked. While TruGrid Admins can enable device redirections for their own accounts, doing so for other users via the ZERO TRUST feature may not be granular enough. In other words, once ZERO TRUST is disabled for a domain, users can redirect resources via TruGrid SETTINGS.


Nonetheless, for customers using TruGrid SecureRDP in a Windows Active Directory environment, GPO (Group Policy Objects) can be used to provide granular RDP redirection and restrictions. There are multiple ways to achieve this via GPO:


  1. One method is to put end users into different Organization Units (OU) and apply the desired RDP restrictions against the different OUs. Policies enforced this way will respectively apply to users regardless of which computers they access
  2. Another method is to create a GPO and restict it to a security group of computers and then enforce the RDP settings and restrictions on the GPO. Policies applied this way will affect all users accessing the computers in the security group.
  3. A third method is to apply a new Group Policy targeting the OU where the desired computers reside and dissalow clipboard for all users there, then, using the "Deny apply" setting for GPO delegation we can allow a security group of users to bypass this restriction.


The steps below apply to both of the above methoss, except where noted. The settings shown below focus on redirections for PRINTERS, DEVICE & RESOURCES, SESSION TIME OUT, and how to handle multiple connections to RDS Servers (very useful for RemoteApp).


Here are the implementation steps:

  • Create and link a new GPO:

a. If configuring for #1 method above, apply the GPO to a USER OU

b. If configuring for #2 method above, apply the GPO at the domain level but restrict it to TG-COMPUTERS.


Add GPO Policy


  • This step is only for #2 method. Edit the new GPO and navigate to "COMPUTER CONFIGURATION\POLICIES\ADMINISTRATIVE TEMPLATES\SYSTEM\GROUP POLICY" to adjust the below settings.


Configure Group Policy Loopback Processing

  • The next steps apply to both #1 and #2 methods. Navigate to "COMPUTER CONFIGURATION\POLICIES\ADMINISTRATIVE TEMPLATES\WINDOWS COMPONENTS\REMOTE DESKTOP SERVICES" to adjust various RDP settings.


Device & Resource Redirection


Printer Redirection


Session Time Limits


High-Security Environment Suggested Settings

in high-security environments, and where Data Loss Prevention is a priority, just enable the TruGrid ZERO TRUST setting, or enable the following restrictions via GPO:

  • Do not allow clipboard direction
  • Do not allow drive redirection
  • Do not allow LPT port redirection
  • Do not allow client printer redirection
  • Set time limit for active but idle Remote Desktop Services sessions


Method #3 - Using Deny Apply filtering


RDP redirection settings like "Do not allow clipboard redirection" exist under both Computer Configuration and User Configuration in the Administrative Templates. By default, User Configuration policies apply based on the user's OU, so a User Configuration policy linked to the session host's OU would normally be ignored.


Group Policy Loopback Processing in Replace mode changes this. It tells the session host to apply User Configuration policies from its own GPO scope instead of the user's OU, allowing User Configuration settings to apply to any user who logs in.


Per-user control is then achieved through GPO Delegation. The GPO applies to all users by default (via Authenticated Users). To exempt specific users, you add a security group to the Delegation tab and set Deny Apply Group Policy. Users in that group are excluded from the restriction. These restrictions can be applied to any and all settings, but this method is focusing on clipboard redirection.


Prerequisites

  • An OU containing the session host computer objects where restrictions should be enforced.
  • A security group containing the users who should be exempt from the restriction (e.g., TG-ClipboardAllowed).

 

Implementation Steps


  1. Open the Group Policy Management Console (GPMC).
  2. Create a new GPO (e.g., "RDP Redirection Restrictions").
  3. Link it to the OU containing the session host computer objects.

 


Step 2: Configure Security Filtering


Leave the default Authenticated Users in Security Filtering. Do not remove it.

Both the computer accounts and user accounts need to be able to read and apply this GPO:

  • The computers need to process the GPO to pick up the Loopback Processing setting from Computer Configuration.
  • The users need to process the GPO for the User Configuration clipboard restriction to apply.

Scope is controlled by the OU link (Step 1), not by Security Filtering.

 

Step 3: Enable Loopback Processing

  1. Edit the GPO.
  2. Navigate to: Computer Configuration > Policies > Administrative Templates > System > Group Policy
  3. Open Configure user Group Policy loopback processing mode.
  4. Set it to Enabled.
  5. Set the Mode to Replace.

Replace mode means: when a user logs into a session host in this OU, the User Configuration policies from the computer's GPO scope are applied instead of the policies from the user's own OU.

 


Step 4: Enable the RDP Restriction

  1. In the same GPO, navigate to: User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
  2. Open Do not allow Clipboard redirection.
  3. Set it to Enabled.

Repeat for any other redirection settings you want to restrict (drive redirection, printer redirection, LPT port redirection, etc.).

At this point, clipboard redirection is disabled for all users who log into the session hosts in the targeted OU.

 



Step 5: Exempt Specific Users via Delegation

  1. In GPMC, select the GPO (do not edit it -- select it in the left pane).
  2. Go to the Delegation tab.
  3. Click Advanced.
  4. Click Add and add the TG-ClipboardAllowed security group.
  5. Set the following permissions for TG-ClipboardAllowed:

Permission

Setting

Read

Allow

Apply Group Policy

Deny

  1. Click OK.
  2. Confirm the Deny override warning.



Users in TG-ClipboardAllowed can now read the GPO but it will not apply to them. Because Deny always overrides Allow in Windows ACLs, the explicit Deny on Apply Group Policy takes precedence over the Allow inherited from Authenticated Users.

 

Step 6: Verify

  1. Run gpupdate /force on the session host.
  2. Log in as a user who is not in TG-ClipboardAllowed.
  3. Attempt to copy/paste between the local machine and the remote session. It should be blocked.
  4. Log out and log in as a user who is in TG-ClipboardAllowed.
  5. Attempt to copy/paste. It should work normally.
  6. Optionally, run gpresult /r from both user sessions to confirm the GPO is applied or filtered as expected.



Updated on: 31/03/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!