---
title: "Restricting/Limiting Users' Access to Workspot Desktop During Maintenance"
slug: "restricting-users-to-access-workspot-desktop-during-maintenance"
updated: 2025-12-04T10:11:32Z
published: 2025-12-04T10:11:32Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.workspot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Restricting/Limiting Users' Access to Workspot Desktop During Maintenance

#### **Requirement:**

A customer needed to temporarily block remote access for all users except a selected few during planned maintenance. Only specific AD users should connect via RD Gateway.

By default, RD Gateway Connection Authorization Policy (CAP) includes the *Domain Users* group, allowing everyone to access VDI resources.

#### **Steps for A****D-based Gateway Authentication:**

- **Create AD Security Group:**Create a new group (e.g., *RemoteAccessAllowed*) and add only the approved users.
- **Access RD Gateways:**Log in to gateways (if HA) and open **RD Gateway Manager**.
- **Modify CAP Policy:**Go to *Policies → Connection Authorization Policies*. Edit the existing CAP: remove *Domain Users* and add the new group.
- **Apply Changes:**Save the policy and restart the RD Gateway service.
- **Disconnect Unallowed Sessions (Optional):**From Monitoring, manually disconnect active sessions not in the allowed group.
- **Verify:**Test with a user in the new group (allowed) and a user outside it (denied).

#### **Outcome**

Only users in the custom AD group are allowed to access, successfully restricting remote connections during maintenance.

#### **Note**

- Apply changes to both RD Gateways if using a high-availability setup.
- Restore the changes to normal after maintenance