1

I have a server (Windows 2003 ) and different users connect the server via Remote Desktop Connection. All users have admin rights on it. So sometimes it becomes very difficult for me to RDC to the server because of number of session exceeds the limit. The only solution which I am looking now to restrict console RDC session for administrator only. Is it possible?

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
shikran
  • 31
  • 1
  • 4
  • You can always connect under to session with ID 0 using **mstsc /admin or /console** switch. Is the server part of the domain or a standalone host? – Volodymyr Molodets Feb 22 '13 at 09:38
  • thanks its standalone server.. i cant connect always with session ID 0. because some time another user is connected with console and if i connect his work might effect. i only want to restrict console session for administrator. – shikran Feb 22 '13 at 10:40
  • 1
    I'd like to point out that unless you've purchased terminal server licensing, RDP can **only** be used for remote administration of the server. Anything else is a violation of the license agreement. – MDMarra Feb 22 '13 at 15:17

2 Answers2

1

Well, this is not a good solution, but, nevertheless it's worth trying:

Method 1.

Go to Start > Run > gpedit.msc.

Then go to Administrative Templates > Windows Components > Terminal Services and enable the setting “Deny Log off of an administrator logged into the console session”. If the status is set to Enabled, logging off the connected administrator is not allowed.

Run “gpupdate.exe /force” from Command Prompt.

So, in other words, what you need to do is to log in session 0, have local computer policy configured like above and NOT to log off from machine. Others won't be able to take over your session.

enter image description here

Hope this helps.

Method 2.

Found a nice article that describes how to change which users or Administrators can connect to the console session:

1. To allow a normal user to connect to the console session, use the following command:

WMIC RDPermissions where "TerminalName='console'" call AddAccount "domain\UserName", 2

2. To deny administrators access to the console session, use the following command:

  WMIC RDAccount where "TerminalName='console' and AccountName like '%administrators%'" call delete

3. To restore the default setting:

   WMIC RDPermissions where "TerminalName='console'" call RestoreDefaults

So, after performing 2nd command and then using 1st command with your account should give you what you wants. Haven't tried myself though.

Volodymyr Molodets
  • 2,404
  • 9
  • 35
  • 52
  • thans. first solution does not fulfil my requirement as i need to logoff server some time for other reasons. method 2 is much closer to what i was looking for. i have tried it but the issue which i am facing is, it also restricts administrator a/c as well, and i don not want to restrict administrator a/c using console. i tried to use the other parameter in AccountName like %dba% but it throws an error. so how it is possible i can restrict users not administrator ? – shikran Mar 13 '13 at 07:30
1

First:

wmic RDAccount where "TerminalName=‘Console’ and AccountName like ‘%Administrators%’” call delete

This removes the AdministratorS (group) permissions

Then:

wmic RDPermissions where “TerminalName=‘Console call AddAccount “Administrator”, 2

This adds back the local Administrator (user)

Sources:

http://hdgtechnotes.blogspot.com/2014/04/how-to-prevent-access-to-console.html - my blog! http://support.microsoft.com/kb/290720/EN-US

goofology
  • 382
  • 2
  • 14