Scalable way to manage RDP access to desktops

[Guest]

My company is looking to implement a policy where users can RDP into their
own desktop but nobody elses. The problem is that we would want to do this
centrally in AD as opposed to on the local machines (Adding the user
individually to the RDP Users local group). The one idea I have come up with
is to create a group named after each machine in AD such as "machineabc-rdp"
and to add the user who should have access to it to the correct group. The
problem is we would need to do this for some 25,000 clients.

Any other ideas or advice?

 

[Shenan Stanley]

My company is looking to implement a policy where users can RDP
into their own desktop but nobody elses. The problem is that we
would want to do this centrally in AD as opposed to on the local
machines (Adding the user individually to the RDP Users local
group). The one idea I have come up with is to create a group named
after each machine in AD such as "machineabc-rdp" and to add the
user who should have access to it to the correct group. The problem
is we would need to do this for some 25,000 clients.

Any other ideas or advice?

Script to push out membership based off a file containing
username/computername matches.

Otherwise... well - only give those who ask/you know need it such access.
You are trying to limit it so much that you are making it difficult on
yourself - especially with that many users/systems. My bet would be 1/4 of
them might actually utilize it - and that is being EXTREMELY optimistic.
The number is likely closer to 3-5% of total users.