How to disable RDP access for Administrator

Question

We need to disallow the domain Administrator account to access a server directly via RDP. Our policy is to log on as regular user and then use Run As Admin functionallity. How can we set this up?

The server in question is running Windows Server 2012 R2 with Remote Desktop Session Host and Session Based RD Collection. Allowed User groups do not contain the domain Administrator user but somehow he is still able to log on.

Thank you.

I have never heard of someone settings permissions for the Domain Admin... haha — pulsarjune, Mar 26 '14 at 10:06
Which policies exactly did you modify, list them, in your question. — Ramhound, Mar 26 '14 at 11:20
@Ramhound I didn't think of using GPO, I thought this was only matter of setting up the Remote Desktop Services tab somehow. — r0b0, Mar 26 '14 at 12:14
@pulsarjune I come from unix background where it is quite common to disable root login via ssh and only use su/sudo. This is not tha case in Windows I suppose? — r0b0, Mar 26 '14 at 12:16

score 39 · Accepted Answer · edited May 12 '20 at 08:50

39

This seems to be what you are looking for: http://support.microsoft.com/kb/2258492

To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.

Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

Find and double click "Deny logon through Remote Desktop Services"

Add the user and / or the group that you would like to dny access.

Click ok.

Either run the command gpupdate /force /target:computer on the command prompt or wait for the next policy refresh for this setting to take effect.

edited May 12 '20 at 08:50

Nassim

145
5

answered Mar 26 '14 at 11:34

cornasdf

571
4
5

Anyone tested this to be working? – Pacerier Mar 13 '15 at 17:34
4

I think it's better to remove Administrators from "Allow logon" and add individual admins to "Remote desktop users" group – basin Jul 26 '16 at 12:16
@Pacerier I've tested this in 2012R2 and it works. My next attempt to RDP in told me I needed the right to sign in through Remote Desktop Services. I was still able to RDP in as another user though, and was able to connect to Administrator's existing desktop session through Task Manager. – mwfearnley Feb 09 '17 at 11:14
Thank you! I was actually searching a way to prevent a username to log in locally (making an RDP-only user), and I found it just next to this one. Neat. – Evengard Apr 03 '18 at 23:35

score -3 · Answer 2 · answered May 19 '17 at 17:44

-3

I created a simple tool that does this and couple other features, you can find explanation here: https://www.linkedin.com/pulse/combating-ransomware-wannacry-more-home-user-edition-djenane

but essentially you can do it through command line:

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server”  /v fDenyTSConnections /t REG_DWORD /d 0 /f

answered May 19 '17 at 17:44

Djenane

1

2

This command disables Remote Desktop connections for *all* users, not only the Domain Administrator account as requested by the OP. – I say Reinstate Monica May 19 '17 at 21:43

How to disable RDP access for Administrator

2 Answers2