Active Directory user account configuration

The enrollment agent user and NLA user must be created in Microsoft Active Directory. The following describes how to create these users.

Enrollment agent user account

The enrollment agent user account is required to enroll certificates through RAS Enrollment Server on behalf of the authenticated user. Please note that the enrollment agent user requires logon privileges on the machine where RAS Enrollment Server Agent is installed.

NLA user account

The NLA User is needed to initiate the NLA connection with RD Session Hosts and/or VDI guests. Please note that the NLA user requires log on privileges to the session host.

The NLA User must be a member of the Remote Desktop Users group and be granted the Allow log on through Remote Desktop Services permission. At the same time the NLA User must be prohibited to logon via Remote Desktop Services.

To exclude the NLA User account, it must be assigned the Deny log on through Remote Desktop Services user right.

To achieve both goals, you can use local or domain GPOs (linked to OU or domain wide).

A restart of the device is not required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:

  1. Local policy settings
  2. Site policy settings
  3. Domain policy settings
  4. OU policy settings

Create a new GPO or use Default Domain Policy GPO as follows:

  1. Open the Group Policy Management Console (GPMC).
  2. Open or create a GPO linked with the OU where the RDSH or VDI objects reside.
  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment and open "Allow log on through Remote Desktop Services" option.
  4. Choose to add User or Group..., add the NLA user and click OK.
  5. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment and open the Deny log on through Remote Desktop Services option.
  6. Choose to add User or Group..., add the NLA user and click OK.
Was this topic helpful?