Home / server / Questions / 598278
Accepted
r0b0
Asked: 2014-03-27 02:03:24 +0800 CST

How to disable RDP access for Administrator

  • 772

We need to disallow the domain Administrator account to access a server directly via RDP. Our policy is to log on as regular user and then use Run As Admin functionallity. How can we set this up?

The server in question is running Windows Server 2012 R2 with Remote Desktop Session Host and Session Based RD Collection. Allowed User groups do not contain the domain Administrator user but somehow he is still able to log on.

Thank you.

remote-desktop

2 Answers

  1. Best Answer

    This seems to be what you are looking for: http://support.microsoft.com/kb/2258492

    To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

    1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.

    2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

    3. Find and double click "Deny logon through Remote Desktop Services"

    4. Add the user and / or the group that you would like to dny access.

    5. Click ok.

    6. Either run the command gpupdate /force /target:computer on the command prompt or wait for the next policy refresh for this setting to take effect.

    • 39

  2. I created a simple tool that does this and couple other features, you can find explanation here: https://www.linkedin.com/pulse/combating-ransomware-wannacry-more-home-user-edition-djenane

    but essentially you can do it through command line:

    Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server”  /v fDenyTSConnections /t REG_DWORD /d 0 /f
    • -3