Installing Supported Remote Desktop Services, on a Workgroup Server (No Domain)
Microsoft’s official stance is that Remote Desktop Services (RDS) generally requires an Active Directory Domain. However, for small environments, standalone servers, or specific test cases, you can set up a Workgroup RDS Deployment.
This guide covers how to install the RDS roles manually, configure licensing without a domain controller, and strictly manage local user access.
⚠ Important Warning: This guide focuses on a Workgroup setup. If you require strict Per-User CAL enforcement or advanced features like RD Gateway, a Domain environment is the only fully supported path.
Licensing Requirements & Compliance
Before technical installation, you must ensure you have the correct licenses. RDS CAL/Licenses are not free; the standard "2 concurrent admin sessions" included with Windows Server is for maintenance only, not for users.
1. Required Licenses (You need both):
Windows Server CAL: Covers the user/device accessing the server OS.
RDS CAL (Remote Desktop Services Client Access License): Specifically covers the remote desktop functionality.
2. Choosing the Right RDS CAL for Workgroups:
Per-Device CALs (Recommended): The license is assigned to the specific client computer (e.g., "Office-PC-01").
Why: This is the only mode strictly enforced and tracked by the server in a Workgroup.
Per-User CALs: The license is assigned to a specific person.
Why: Microsoft officially restricts this in Workgroups because the server cannot track users without Active Directory. You can technically force this mode via Group Policy (Step 4), but it operates on an "Honor System." You must legally own the paper licenses, even if the server does not decrement a counter.
🔗 Official Resources:
Microsoft Guide: License your RDS deployment with client access licenses (CALs) Microsoft Guide: Activate the Remote Desktop Services license server
Step 1: Install RDS Roles Manually
Do NOT use the "Quick Start" deployment. It installs unnecessary components that rely on a domain.
Open Server Manager.
Click Add Roles and Features.
Choose Role-based or feature-based installation.
Select your local server.
On Server Roles, check only these two:
✅ Remote Desktop Session Host
✅ Remote Desktop Licensing
Do NOT install: RD Gateway, RD Web Access, or RD Connection Broker.
Finish the installation and Reboot the server.
Step 2: Enable RDS Mode
Once the server reboots, ensure it isn't stuck in "Admin" mode.
Open Command Prompt (Admin) and run:
change user /queryYou want to see: Application EXECUTE mode is enabled.
If it says "Install mode," run:
change user /execute
Step 3: Activate the License Server
Even without a domain, you must activate the licensing service to issue CALs.
Open Remote Desktop Licensing Manager.
Right-click your server name and select Activate Server.
Choose Automatic (Internet) connection method.
Install your Licenses:
Per-Device CALs: Recommended for Workgroups. These are strictly enforced by the server.
Per-User CALs: Works via a registry tweak (see Step 4), but there is no enforcement. It is an "Honor System" based on the paper licenses you own.
Step 4: Configure Licensing via Local GPO
Because there is no Domain Controller, you must hard-code the licensing path in Local Group Policy.
Run
gpedit.msc.Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing
Configure these two settings:
Set the Remote Desktop licensing mode: Enabled → Per Device (or Per User).
Use the specified Remote Desktop license servers: Enabled →
localhost.
Run
gpupdate /force.
Step 5: Create and Assign Users
Since there is no Active Directory, you must create users locally and then explicitly grant them RDP access.
1. Create the Users
Press
Win + R, typelusrmgr.msc, and hit Enter.Right-click Users → New User.
Create your users (e.g.,
User1,User2) and set their passwords.
2. Add to "Remote Desktop Users" Group
You can do this in lusrmgr.msc, but the modern interface is often easier for verification:
Open Windows Settings (Gear icon).
Navigate to System > Remote Desktop.
Click Remote Desktop users.
Click Add and type the names of the users you just created.
Note: This automatically adds them to the local "Remote Desktop Users" group.
Step 6: Critical Security Policy (The "LSP" Fix)
In Workgroup environments, simply adding a user to the group sometimes isn't enough. You must verify the Local Security Policy allows that group to log in.
Press
Win + R, typesecpol.msc, and hit Enter.Navigate to: Local Policies > User Rights Assignment
Locate the policy: Allow log on through Remote Desktop Services.
Double-click it and ensure the following are listed:
AdministratorsRemote Desktop Users(Optional) Specific users if the group isn't working.
Critical Check: Look for Deny log on through Remote Desktop Services in the same list. Ensure your users are NOT listed there.
Step 7: Set Session Limits
In a Workgroup, idle sessions can hang indefinitely and lock files.
Open
gpedit.msc.Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Recommended Settings:
Idle Session Limit: 1 Hour.
Disconnected Session Limit: 30 Minutes.
End session when time limits are reached: Enabled.
Summary Checklist
If a user cannot log in, check these three layers in order:
Does the user exist? (
lusrmgr.msc)Is the user in the group? (
System > Remote Desktop)Is the group allowed to log in? (
secpol.msc> User Rights Assignment)
Created & Maintained by Pacific Northwest Computers
📞 Pacific Northwest Computers offers Remote & Onsite Support Across:
SW Washington including Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR
No comments:
Post a Comment