How to disable RDP access for Administrator

remote desktopwindows-server-2012-r2windows-terminal-services

We need to disallow the domain Administrator account to access a server directly via RDP. Our policy is to log on as regular user and then use Run As Admin functionallity. How can we set this up?

The server in question is running Windows Server 2012 R2 with Remote Desktop Session Host and Session Based RD Collection. Allowed User groups do not contain the domain Administrator user but somehow he is still able to log on.

Thank you.

Best Answer

This seems to be what you are looking for: http://support.microsoft.com/kb/2258492

To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege. To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.

Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

Find and double click "Deny logon through Remote Desktop Services"

Add the user and / or the group that you would like to dny access.

Click ok.

Either run the command gpupdate /force /target:computer on the command prompt or wait for the next policy refresh for this setting to take effect.

Best Answer

Related Solutions

Windows – seamless rdp mode for windows

Security – Remote Desktop Connection Denied because the user account is not authorized for remote login

Related Topic