Least Privilege - Microsoft RDS Connector

In this article, you can find the information needed to restrict a Service Account permissions by assigning least privileged roles for the Microsoft RDS Connector to connect to the RDS Broker.

Create a Service Account

Create a service account in your Active Directory. This account has the same default settings as a regular domain user account. It needs permissions on all the desktop and/or published applications that you need to view in the Microsoft RDS connector.

For more information about service accounts, see Microsoft documentation.

Grant WMI permissions to the Service Account

In the Microsoft RDS broker, you need to add the following permissions in the Windows Management Instrumentation (WMI):

1. Log into your Microsoft RDS broker.
2. Run wmimgmt.msc or open WMI Control (Local).
3. Right-click "WMI Control (Local)" and select Properties.
4. Navigate to the Security tab.
5. Select TerminalServices under root\cimv2\TerminalServices and click Security.
   
6. In the Security for.. dialog box that opens, add the Service Account you previously created and grant the following permissions to it:
   • Remote Enable
   • Read Security
7. When you finish, click OK until you reach the WMI Control (Local) console. Your changes will be saved automatically.

Grant Local computer permissions to the Service Account

In the Microsoft RDS broker, you need to add the following permissions on the local computer.

1. Log into your Microsoft RDS broker.
2. Run compmgmt.msc or open Computer Management.
3. Navigate to System Tools > Local Users and Groups > Groups.
   
4. Add the Service Account you previously created to:
   • Performance Log Users
   • Users
5. When you finish, click OK until you reach the Computer Management console. Your changes are saved automatically.