6

I have a Windows 2008 Terminal Server. Terminal Server Configuration(licence server, session broker, etc) is managed by group policy. If i want to disable logon via:

change logon /disable

The Error Message: "Connections are currently ENABLED by Group Policy for this machine, unable to change."

Is there a smart way to fix this?

btw. is there some way to look into the session broker database?

quentin
  • 686
  • 5
  • 8

2 Answers2

7

There's a group policy setting that explicitly sets this, located here: Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services -> "Allow users to connect remotely via Terminal Services"

To fix the issue, you need to unset (not 'disable') this on the GPO. After a policy refresh you should get back the ability to control logon availability.

Chris Thorpe
  • 9,903
  • 22
  • 32
  • 1
    While I agree this is the problem and changing the policy may fix the issue, given the current OU/GPO structure making this change is not an option. Are their any alternatives? One thing that looks tempting is in the Session Host Configuration. There is an option `User Login Mode` where you can set the host to prevent new connections. Do you know how to modify the `User Login Mode` from a script/command line? I would like to be able toggle between `Allow all` and `Prevent reconnections`. – Zoredache Jun 20 '10 at 07:31
  • 2
    There's no way of fixing the issue unless you can somehow remove that policy's applicance onto that particular server. You could do this by creating a dedicated OU for the terminal server, moving the terminal server object into this OU, and creating a copy of the policy applied to the previous OU and setting 'block inheritence' on the OU. Then just take off the one setting you wanted to remove. I'm not aware of a non-GPO solution to this, as bypassing GPO settings is generally not possible regardless of the approach. By design. – Chris Thorpe Jun 20 '10 at 08:23
  • As an update for people finding this answer via Google, the policy is now located in Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> "Allow users to connect remotely using Remote Desktop Services" – NorbyTheGeek Dec 26 '12 at 14:43
2

You can also remove Group Policy's ability to actually apply that setting by setting up the permissions without System. Mark Russinovich has a good article on doing this.

http://blogs.technet.com/b/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx

This is slightly better than a Scheduled Task to change the registry value. I wouldn't call it elegant, though :)

But really, the right way to do this is to either unset the Group Policy (as Chris Thorpe said), or disable inheritance for the server's OU and make another GPO without that particular policy.

EDIT: You can also use WMI filtering to exclude that particular server from receiving the entire policy. Note that if a particular GPO is filtered out, the ENTIRE GPO's policies are not applied. If you go this route, I'd recommend breaking out the Terminal Server connection policy into a new GPO, so the rest of the settings aren't ignored.

Microsoft TechNet info: http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

Filtering based on computer name (scroll down for the answer): http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_22864893.html

Jeff McJunkin
  • 1,342
  • 1
  • 8
  • 16