How can I use user data to add a new user account with RDP access to my Amazon EC2 instance?

Short description

You can use PowerShell to create a new local user with RDP permissions that can connect to your Amazon EC2 instance. The PowerShell commands run as part of user data. If you launch an Amazon EC2 instance for the first time, then the user data runs every time. If you use an EC2 instance that you launched previously, then you must schedule the user data to run.

For more information, see EC2Config settings files and Run commands on your Windows instance at launch.

Resolution

Before you use this method, note the following:

• If you stop and restart an EC2 instance, then you erase any data on the instance store volumes. It's a best practice to back up any instance store volumes that contain data that you want to keep. For more information, see Determine the root device type of your AMI.
• When you stop and restart an instance, the public IP address of the instance changes. It's a best practice to use an Elastic IP address instead of a public IP address when you route external traffic to your instance.

Add PowerShell script to instance at launch

If you want to launch your instance for the first time, then complete the following steps:

1. From the EC2 instance launch wizard, choose Advanced.

2. Under Advanced Details, choose User data.

3. Enter the following PowerShell script:

   <powershell>
   $user = New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'ExampleP@ssword!') -Name "RDPUser" -FullName "Local RDPUser" -Description "Local Administrator"
   Add-LocalGroupMember -Group "Administrators" -Member $user 
   Add-LocalGroupMember -Group "Remote Desktop Users" -Member $user 
   </powershell>

   Note: This example script is set to create a new local user account named RDPUser with the password ExampleP@ssword!. The account is set to enabled, doesn't expire, and includes a brief description. The user account is then added to both the Administrators group and the Remote Desktop Users group. Access to the Remote Desktop Users group is required, but you can remove the Administrators section if needed.

4. Launch your EC2 instance.

Add PowerShell script to instance after launch

If your EC2 instance is already launched, then complete the following steps:

1. Stop your EC2 instance.

2. In the Amazon EC2 console, choose your instance and then open the Actions menu.

3. Choose Instance Settings, and then choose View/Change User data.

4. In the User data section, add the following PowerShell script:

   <powershell>
   $user = New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'ExampleP@ssword!') -Name "RDPUser" -FullName "Local RDPUser" -Description "Local Administrator"
   Add-LocalGroupMember -Group "Administrators" -Member $user 
   Add-LocalGroupMember -Group "Remote Desktop Users" -Member $user 
   </powershell>

   Note: This example script is set to create a new local user account named RDPUser with the password ExampleP@ssword!. The account is set to enabled, doesn't expire, and includes a brief description. The user account is then added to both the Administrators group and the Remote Desktop Users group. Access to the Remote Desktop Users group is required, but you can remove the Administrators section if needed.

5. Start your instance.

Validate that the user account is created

To check that the user account is created, use the following command from a PowerShell prompt. For example, you can use AWS Systems Manager Session Manager or PSSession remote access.

Run this command to create the variable $usernamelist. This variable contains a list of all user accounts that match the Local Account is true requirement.

$usernamelist = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" |
Select Name, Status, Disabled, AccountType, Lockout, PasswordRequired, PasswordChangeable, SID

Run this command to get a detailed view of the user account that you created. In this example, the account is RDPUser.

$usernamelist | select-string -AllMatches RDPUser

Troubleshoot issues

If you experience issues, then use the following troubleshooting tips:

• If the user account isn't created, then review the instance metadata and access to user data. Use commands like route print and invoke-webrequest. If you observe anything other than 200 response, then review the instance user data.
• Check the instance local user data logging. For more information, see How can I troubleshoot running user data scripts to configure my EC2 Windows instance?
• Test the script on a local computer before you run it. Confirm that the instance uses the correct version of PowerShell and the script runs correctly on a second instance.