How to Add a User to the Remote Desktop Users Group in Batch Script
Allowing a user to connect to a Windows machine remotely via RDP (Remote Desktop Protocol) is a common support request. However, simply having an account on the machine is not enough. To log in remotely, a non-administrative user must be a member of the specific local security group: "Remote Desktop Users". Adding users to this group manually through the GUI is tedious for multiple machines.
This guide demonstrates how to use the net localgroup command to grant RDP access via a Batch script.
Why Use the Command Line for RDP Access?
- Standardized Onboarding: Automatically granting remote access to new employees as part of their account creation script.
- Bulk Configuration: Adding an entire department (e.g., "Engineering") to the Remote Desktop group on all lab computers at once.
- Temporary Access: Granting RDP rights for a specific support window and then removing them later.
You must run this script as an Administrator. Standard users do not have permission to modify local group memberships.
Method 1: Adding a Single User
The /add switch is used to append a user to the group.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set /p "USN=Enter username to grant RDP access: "
if "%USN%"=="" (
echo [ERROR] No username entered.
pause
exit /b 1
)
echo [PROCESS] Granting Remote Desktop access to "%USN%"...
net localgroup "Remote Desktop Users" "%USN%" /add
if %errorlevel% equ 0 (
echo [SUCCESS] User added. RDP access should work immediately.
) else (
echo [ERROR] Failed to add user. Code: %errorlevel%
echo [HELP] Verify the username exists and is not already a member.
)
pause
Method 2: Adding a Domain Group
In a domain environment, you can add a global security group (like "IT Support") to the local Remote Desktop Users group.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set /p "DOMAIN_GRP=Enter domain group (e.g., CONTOSO\IT_Support): "
if "%DOMAIN_GRP%"=="" (
echo [ERROR] No group entered.
pause
exit /b 1
)
echo [PROCESS] Enabling RDP for domain group: "%DOMAIN_GRP%"...
net localgroup "Remote Desktop Users" "%DOMAIN_GRP%" /add
if %errorlevel% equ 0 (
echo [SUCCESS] Domain group added to Remote Desktop Users.
) else (
echo [ERROR] Failed. Verify the group name and domain connectivity.
)
pause
Creating a Remote Access Provisioning Tool
This professional script validates input, checks current membership, and provides a complete provisioning experience.
@echo off
setlocal EnableDelayedExpansion
set "GROUP=Remote Desktop Users"
echo ============================================================
echo Remote Access Provisioning Utility
echo ============================================================
:: 1. Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
:: 2. Get target
set /p "TARGET=Enter Username to Enable RDP: "
if "!TARGET!"=="" (
echo [ERROR] No username entered.
pause
exit /b 1
)
:: 3. Verify the user exists locally or on the domain
net user "!TARGET!" >nul 2>&1
if !errorlevel! neq 0 (
net user "!TARGET!" /domain >nul 2>&1
if !errorlevel! neq 0 (
echo [ERROR] User "!TARGET!" not found locally or in the domain.
pause
exit /b 1
)
)
:: 4. Check existing membership
net localgroup "!GROUP!" 2>nul | findstr /i /c:"!TARGET!" >nul
if !errorlevel! equ 0 (
echo [INFO] "!TARGET!" is already a member of "!GROUP!".
echo [TIP] No action needed. RDP access is already granted.
echo ============================================================
pause
exit /b 0
)
:: 5. Add User
echo [PROCESS] Adding "!TARGET!" to "!GROUP!"...
net localgroup "!GROUP!" "!TARGET!" /add
if !errorlevel! equ 0 (
echo [SUCCESS] RDP access granted to "!TARGET!".
echo.
echo [VERIFY] Current members of "!GROUP!":
echo -----------------------------------------
for /f "skip=6 tokens=*" %%m in ('net localgroup "!GROUP!" 2^>nul') do (
echo %%m | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 echo %%m
)
echo -----------------------------------------
) else (
echo [FAIL] Could not add "!TARGET!" to "!GROUP!".
echo [HELP] The user may not exist or may already be a member
echo through a domain group.
)
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Group Name Spelling
The group name "Remote Desktop Users" contains spaces. You must wrap it in double quotes, or the command will fail with a syntax error.
Replication Delay (Domain)
If you add a domain user, it might take a few minutes for the change to replicate if the Domain Controller is busy.
Advise your users that Administrators are automatically granted RDP access. They do not need to be added to the "Remote Desktop Users" group separately.
Best Practices for Remote Access
- Least Privilege: Don't make someone an Administrator just to give them RDP access. Use this specific group instead.
- Audit Regularly: Periodically list the members of "Remote Desktop Users" to ensure no unauthorized accounts have access.
- Use Network Level Authentication (NLA): Ensure NLA is enabled in your system settings for better security, even for these users.
Technically, adding a user to this group grants them the "Allow log on through Remote Desktop Services" user right.
Conclusion
Adding users to the Remote Desktop Users group via Batch script is a fundamental task for managing remote access in a secure and efficient Windows environment.
By leveraging the net localgroup command, you can streamline user provisioning, ensuring that employees have the connectivity they need without compromising system security by over-granting administrative privileges.
This professional approach simplifies support workflows and keeps your access policies consistent across your entire fleet.