Feedler
asked on
Restrict user to Terminal Server console session
Hi,
I am setting up a server that will be running a SCADA system (Wonderware) and will be running Terminal Services on Windows Server 2003. There are 2 logging programs that need to run at system startup so I have enabled the automatic logon option for a user (eg:wonderadmin) and placed the shortcuts in their startup directory. Users can then connect in using their credentials in Terminal Services to run the Wonderware front-end program.
I will be needing to remotely access the console session that is automatically logged on at startup for administrative purposes. I know I can connect into the session using "mstsc /console" but I would like to be refused connection if I don't use the "/console" switch. Is there any way to do this?
Thanks.
I am setting up a server that will be running a SCADA system (Wonderware) and will be running Terminal Services on Windows Server 2003. There are 2 logging programs that need to run at system startup so I have enabled the automatic logon option for a user (eg:wonderadmin) and placed the shortcuts in their startup directory. Users can then connect in using their credentials in Terminal Services to run the Wonderware front-end program.
I will be needing to remotely access the console session that is automatically logged on at startup for administrative purposes. I know I can connect into the session using "mstsc /console" but I would like to be refused connection if I don't use the "/console" switch. Is there any way to do this?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The solution is incorrect.
1. Open the Terminal Services Configuration snap-in.
2. View the Properties of RDP-Tcp and select the Permissions tab.
3. Add the Everyone group and change the Guest Access from allow to deny.
Tags: restrict RDP console terminal services remote desktop
1. Open the Terminal Services Configuration snap-in.
2. View the Properties of RDP-Tcp and select the Permissions tab.
3. Add the Everyone group and change the Guest Access from allow to deny.
Tags: restrict RDP console terminal services remote desktop
Found this on another forum:
TS has a WMI provider which allows you to do that. The easier way to access WMI provider functionality is with WMIC alias. If you want to deny administrators access to console, you can run the following within a cmd shell:
WMIC RDAccount where "TerminalName='console' and AccountName like '%administrators%'" call delete
If you want to restore the default permissions setting for console:
WMIC RDPermissions where "TerminalName='console'" call RestoreDefaults
More info:
http://blogs.msdn.com/ts/archive/2006/10/03/Terminal-Services-_2800_TS_2900_-Remote-Configuration-Primer-Part-1.aspx
TS has a WMI provider which allows you to do that. The easier way to access WMI provider functionality is with WMIC alias. If you want to deny administrators access to console, you can run the following within a cmd shell:
WMIC RDAccount where "TerminalName='console' and AccountName like '%administrators%'" call delete
If you want to restore the default permissions setting for console:
WMIC RDPermissions where "TerminalName='console'" call RestoreDefaults
More info:
http://blogs.msdn.com/ts/archive/2006/10/03/Terminal-Services-_2800_TS_2900_-Remote-Configuration-Primer-Part-1.aspx
ASKER
Thanks.