Requirement:
A customer needed to temporarily block remote access for all users except a selected few during planned maintenance. Only specific AD users should connect via RD Gateway.
By default, RD Gateway Connection Authorization Policy (CAP) includes the Domain Users group, allowing everyone to access VDI resources.
Steps for AD-based Gateway Authentication:
Create AD Security Group: Create a new group (e.g., RemoteAccessAllowed) and add only the approved users.
Access RD Gateways: Log in to gateways (if HA) and open RD Gateway Manager.
Modify CAP Policy: Go to Policies → Connection Authorization Policies. Edit the existing CAP: remove Domain Users and add the new group.
Apply Changes: Save the policy and restart the RD Gateway service.
Disconnect Unallowed Sessions (Optional): From Monitoring, manually disconnect active sessions not in the allowed group.
Verify: Test with a user in the new group (allowed) and a user outside it (denied).
Outcome
Only users in the custom AD group are allowed to access, successfully restricting remote connections during maintenance.
Note
Apply changes to both RD Gateways if using a high-availability setup.
Restore the changes to normal after maintenance