Home / server / Questions / 364858
Accepted
Anders
Asked: 2012-03-01 05:38:43 +0800 CST

Disable remote desktop through CMD or script in Windows 2008

  • 772

I'm looking for a way to disable Remote Desktop login for Windows 2008 for a specific user (a local administrator account), either using the command line or a script (such as VBS) in Windows 2008.

I understand I need to modify the local security policy, however, I have not found a way to perform this via either cmd or a script-based solution.

Anyone have any recommendations to how to solve this?

Best Regards

Anders L.

windows windows-server-2008 group-policy windows-command-prompt vbscript

4 Answers

  1. To disable remote desktop from windows command line run the below command as administrator:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

    To enable remote desktop from windows command line run the following command as administrator:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

    • 3

  2. Create a registry file (.reg) with this in it:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001

    Then use regedit /s yourregfile.reg

    If you want to script it better than that, use vbscript:

    enable or disable rdp (remote desktop) on remote system.vbs

    If you want to learn more on managing local group policies, check this Microsoft KB, it seems to cover a lot: Step-by-Step Guide to Managing Multiple Local Group Policy Objects

    • 2 
  3. @echo off
setlocal
if {%1}=={} goto syntax
:loop
if {%1}=={} goto finish
set remote="\\%1\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
shift
reg.exe ADD %remote% /v fDenyTSConnections /t REG_DWORD /d 1 /f>nul 2>&1
if NOT %ERRORLEVEL% EQU 0 @echo %remote% NOT found.
goto loop
:syntax
@echo Syntax: RemoteDesktop Computer1 [Computer2 .... Computern]
goto loop
:finish
endlocal

    Save as a bat file, the open an CMD "rdpdisabler.bat PCNAME

    • 1
  4. Best Answer

    In the end I ended up using a solution built upon VBS (the horror) and secedit.

    ' Windows 2008

' Setting variables and default value.
Dim denyLine,newConfigFile,user,config,secExport,secVal,secImport
denyLine            = "None"

' Path and filename for both the exported configuration file from secedit as well
' as the modified configuration file, as well as the name of the user.
newConfigFile       = "C:\some_config.ini"
config              = "C:\some_new_config.ini"

' The Windows user previously created for this purpose.
user                = "some_user"

' secedit commands required for exporting, validating and importing the new local user policy.
secExport           = "secedit /export /cfg "&config&" /areas USER_RIGHTS"
secVal              = "secedit /validate " & newConfigFile
secImport           = "secedit /configure /db %windir%\security\user_updated.sdb /cfg "& newConfigFile &" /areas USER_RIGHTS"

' Setting up the required regular expressions.
Set deny            = New RegExp
Set rights          = New RegExp
deny.Pattern        = "^SeDenyRemoteInteractiveLogonRight"
rights.Pattern      = "^\[Privilege Rights\]$"

' Reading the configuration file, this reading object supports unicode (TriStateTrue).
Const ForReading    = 1
Const TriStateTrue  = -1
Const ForWriting    = 2

' Create the Windows shell to run the command to extract the local security policy.
Set WshShell        = WScript.CreateObject("WScript.Shell")

' Only export the section we wish to append this information within.
export              = WshShell.Run(secExport,1,vbTrue)

' Verify the return code.
if export <> 0 Then
    WScript.Quit 1
End If

' Create the file object.
Set objFSO          = CreateObject("Scripting.FileSystemObject")

' Verify that the file exist.
If (objFSO.FileExists(config)) Then
    Set objFile         = objFSO.OpenTextFile(config,ForReading,False,TriStateTrue)
    strData             = objFile.ReadAll

    ' Closing the file descriptior.
    objFile.Close

    ' Placing the content of the file into an array.
    arrLines            = Split(strData,vbCrLf)
Else
    ' Quit if the file does not exist.
    WScript.Quit 1
End If

' Open the new configuration file, where we are appending the modified/new rule.
Set filetxt         = objFSO.OpenTextFile(newConfigFile,ForWriting,TriStateTrue)

' Walking over the array looking for an already existing configuration.
For Each strLine in arrLines
    If deny.Test(strLine) Then
        denyLine = strLine
    End If
Next

' Verify if a previous configuration exists.
If denyLine <> "None" Then
    ' There is already an existing configuration, append ADDM user to this line.
    denyLine = denyLine & "," & user
Else
    ' No existing previous configuration exists, create a new line with the new user.
    denyLine = "SeDenyRemoteInteractiveLogonRight = " & user
End If

' Write changes to the new configuration file.
For Each strLine in arrLines
    ' Make sure the line has content.
    if len(strLine) <> 0 Then
        ' Do not write the old configuration, look for everything except that line.
        if NOT deny.Test(strLine) Then
            'If we find the line line [Privilege Rights] append our modified line after.
            if rights.Test(strLine) Then
                filetxt.WriteLine(strLine)
                filetxt.WriteLine(denyLine)
            ' Otherwise keep writing everything else as normal.
            else
                filetxt.WriteLine(strLine)
            End If
        End If
    End If
Next

' Close the file descriptor.
filetxt.Close

' Validate the syntax in the new config file.
validate              = WshShell.Run(secVal,1,vbTrue)

' Verify the return code.
if validate <> 0 Then
    WScript.Quit 1
End If

import                = WshShell.Run(secImport,1,vbTrue)

' Verify the return code.
if import <> 0 Then
    WScript.Quit 1
End If

WScript.Quit 0
    • 1