Deploy Remote Desktop Services in a Workgroup or Domain Easily!


Update 10/9/2017

This article was the underlying document the post came from. Notice at the bottom it is valid for 2016 as well!

Applies to

Windows Server 2016 Datacenter, Windows Server 2016 Standard,
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard,
Windows Server 2012 Datacenter, Windows Server 2012 Foundation



For all you Terminal Server or Remote Desktop Services or RDP Geeks out there, Let me spend a minute to clarify a call driver that continues to be popular.

The Scenario is deploying Remote Desktop Services in a work group. Call this a corner case, or call it what you will. The reason this is a popular support call is due to the fact that there are two articles needed to complete the setup.

Oh sure Microsoft does tell you to add a policy after your setup, but they specify you use GPEDIT. not much help there… Until Today!

First you need to Deploy the roles correctly. The Specific KB I chose for this article, is the one you would use for the simplest setup. One that keeps you clear of very common mis-steps of walking through the setup in the Server Manager. If you did your deployment correctly, you didn’t even need Server Manager.

So begin by reading this:

Guidelines for installing the Remote Desktop Session Host role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service

“”RD Session Host without the Connection Broker

To be clear about this deployment:

  • No Domain Controller
  • No Hyper-V
  • Install Remote Desktop Services.
  • You won’t get to select more until the end. You may install the following
      1. Remote Desktop Licensing and
      2. Remote Desktop Session Host
      3. RDWEB
      4. RD Gateway
  • For a work group you do not have to add the Terminal Server to the Terminal Server License server group. Why? With No DC, you don’t have to report to anyone.
  • Activate the Terminal Server using one of the three methods.. This is most common
  • Activate your RD Cal Licenses with KB2833839 or cc725890

So Far, so good. Now this is where we start to diverge from some existing Documentation

  • If you are in a work-group, go to “edit local users and groups”
  • Find the group folder and create a group for your RDP users and add your users to this group.
  • Alternatively, you may add your users to the RDP users group already there
  • Remember the group you are using. It becomes important
  • Now you are going to edit the Local Policy by doing the following:
      1. Start and Run GPEDIT.MSC
      2. Navigate to the following:

Local Computer Policy ->Computer Configuration-> Administrative Templates-> Windows Components-> Remote Desktop Services-> Remote Desktop Session Host-> Licensing

Figure 1. GPEDIT.MSCUntitled

You are going to see now, the two LSO (Local Security Object) you will be enabling.

Use the Specified Remote Desktop License Servers –Value- IP address of RD License Server.

Set the Remote Desktop Licensing Mode- Value – 2 or 4. 2 is for Device CAL and 4 is user Cal.

Figure 2. Local Policy. Untitled

Now there is another Policy to set. For this, you want to just go back to the top. Start out at Local Security policy like before (GPEDIT.MSC).See figure 3.


Figure 3 GPEDIT.MSCimage


Expand Computer –>Configuration,–> expand Windows Settings, –> expand Security Settings,–> expand Local Policies and then click User Rights Assignment.




Enable this policy and add the group you used earlier. It is highlighted in this article above. Add this group to this policy. In addition, add the Remote Desktop Users group to this policy if desired. Don’t and your administrator name here. The Admin already has access. If you ad your admin name, it will lock you out. So best to to stick to adding the Remote Desktop users group.



Notice it says administrators (Plural), that is fine, but the single administrator should not be in this list. there is a well known break here if you do that.  When you are finished, you just need to add the users you want to give access to, to the group we just added to the Policy (likely the remote desktop users group)

Step 8 comes right out of the KB2833839

  • Open an elevated Windows PowerShell prompt
  • Type the following command on the PS prompt and press Enter:
    $obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
  • Run the following command to set the licensing mode:
    Note: Value = 2 for Per device, Value = 4 for Per User
  • Run the following command to replace the machine name with License Server:
  • Run the following command to verify the settings that are configured using above mentioned steps:
    You should see the server name in the output.

You have now covered all your bases, and  your RDP should be happy!! It will be happy because you paid attention to all the rights things!

Now I did find an interesting article to which I cant really comment on. However, it is an interesting article. IT deals with some issues, you could run across.

Based on a comment to this article, I want to address this KB    “Best practices for setting up Remote Desktop Licensing (Terminal Server Licensing) across Active Directory Domains/Forests or Work group”

This is where it tells you not to use a work group server. So Please consider this against this KB_

Guidelines for installing the Remote Desktop Session Host role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service

One article says don’t use a work-group. The other says “This server can be part of a work-group or may be configured as a DC.” Which do you believe? They are both true. Microsoft does not want you to use it in a work-group, but you can because they provided a way for you to do it. The cost? Printer Redirection issues, and a few other small things, but you can do it if you need to. Bottom line is Install your Terminal Server in a Domain. But, If you have no other choice then use a work-group if you have to.


Well That is it. I hope this has been helpful for work groups or non-work groups. this basically  can be set up on either.



7 thoughts on “Deploy Remote Desktop Services in a Workgroup or Domain Easily!

  1. Well, You gave a good information with clear explanation. You made a good site it’s very interesting one. Thank you so much for sharing the best posts they very help us. I am very satisfied with your site and your posts they amazing.


  2. Binh says:

    Thanks for the information. I’ve read here: that says you an only use DEVICE CALs for RDS servers in a Workgroup.

    However, I’ve read here: which says it works with USER CALS.

    I have installed USER CALs and alittle nervous that it might not work after the 120 days grace period. Have you setup your server to use USER CALs and if so, did it still work and allow users to connect after the 120 grace period?



  3. Hi. How can I apply this scenario but with a Hyper-V 2016 core server, on which I run a Windows 2016 standard server? I need a Remote Desktop Licensing server installed to enable RDP to a VM with an RemoteFX 3d adapter. No AD. Any suggestion would be appreciated.


    • SO if your using the free version of hyper-v and that is why you are using core, you cant install the DC role on the host. This will consume a license. So if you run the DC and hyper-v on the host machine, then i would not recommend core. you might as well get a GUI for your consumed license. Secondly, I would put the terminal server in a VM. 2016 really wants hyper-v to be the only role on the server. The rules have changed some, and multi role servers are never best as a host. let me see i have a link- here it is-
      you can put the DC role on -but you will find you cant cluster the servers if you do. CSV will not work once you have put the DC role and Hyper-v (with clustering) on one host. – Here is just a few reasons, but there are more. – I hope this helps


  4. […] DigitalBamboo’s Blog – Deploy Remote Desktop Services in a Workgroup or Domain Easily! […]


  5. […] DigitalBamboo’s Blog – Deploy Remote Desktop Services in a Workgroup or Domain Easily! […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s