Denying\Allowing Remote Desktop Users in Windows 2008 Server r2

remote desktopremote-desktop-servicesusers

i'm managing a W2008 Server box. As for maintenance i need for some hours to deny access to all users in the Remote Desktop Users and Allow Administrators only. I've tried in gpedit.msc under user rights to deny Users group but still Administrators can't log in because it returns rights error. Please i'm so desperated any help? Why if i deny Users group to remote desktop connection Administrators can't log in also? Thank you!

Best Answer

Why if i deny Users group to remote desktop connection Administrators can't log in also?

This is the normal ACL behavior on Windows. DENY takes precedence over allows. If you deny all users, then all users will be denied. If you don't want some users to have access to something you need to remove the ACE that permits that group of users access.

As for maintenance i need for some hours to deny access to all users in the Remote Desktop Users and Allow Administrators only.

Instead of messing around with permissions, why not disable new connections by putting the terminal server into drain mode?

Adjust the drain-mode registry value with one of these options. Administrators will still be able to connect when using the /admin switch.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSServerDrainMode
0 = Allow all connections
1 = Allow reconnections, but prevent new logon until reboot
2 = Allow reconnections, but prevent new logon

You can also enable drain-mode through the GUI.

rdp drain mode

Related Topic