banks1850
asked on
RDP to console ONLY. No remote sessions?
I need to be able to use the console of Windows RDP only on a Windows Server 2003 server. Anyone know how to do that? We have some issues where our engineers need to access a machine either locally or remotely, but can't have multiple sessions as it will screw up software licensing (don't ask). Basically I want W2K3 to mimic Windows XP Pro. RDP functionality. I.E. if you log in remotely, it locks the local console...etc.
ASKER
Can't, this is for a retail product that the clients use. We would have to buy a distribution license and you don't want to know how much those cost.
I am not sure what the purpose of your RDP session is. Is it just that you want users to have the same session when logging in remotely or locally? If yes, you can easily connect to a remote session that was only disconnected or is still running.
Go to Start -> Programs -> Administrative Tools -> Terminal Services Manager.
Right-click the existing connection and choose "Connect".
http://www.microsoft.com/windowsserver2003/techinfo/overview/tsremoteadmin.mspx
Go to Start -> Programs -> Administrative Tools -> Terminal Services Manager.
Right-click the existing connection and choose "Connect".
http://www.microsoft.com/windowsserver2003/techinfo/overview/tsremoteadmin.mspx
so you want the rdp session limited to the console?
or just to 1 session at the same time?
or just to 1 session at the same time?
You can also restrict the maximum session to only "1" in the Terminal Services Configuration. Right-click "rdp" go to properties and then in the "network adapter" tab. Here you can change from "2" to "1".
Hope this helps
Daniel
Hope this helps
Daniel
Sorry, forgot the "console" thing:
http://headblender.com/joe/blog/old/001166.html
If you use the /console switch the screen at the server will get locked as in XP.
http://headblender.com/joe/blog/old/001166.html
If you use the /console switch the screen at the server will get locked as in XP.
ASKER
This is all good info. But I already know all of it.
We need it to mimic Windows XP Professional RDP. I.E. only allow one person to be logged in at any one time, whether they be local or remote. Ideally this needs to happen without the user typing in any additional statements to connect (I.E. no needing to put the /console after the RDP string).
The problem is that If you log in twice with the same user, even for a second, it screws up the licensing of our product (we are working on solving that, but it takes a while to get to production for things like licensing). So what we really want is to be able to console to the machine (because you can only have 1 console session, this would solve our issue), but not to RDP with normal sessions. Even just allowing a single session still allows users to RDP and local console at the same time.
We need it to mimic Windows XP Professional RDP. I.E. only allow one person to be logged in at any one time, whether they be local or remote. Ideally this needs to happen without the user typing in any additional statements to connect (I.E. no needing to put the /console after the RDP string).
The problem is that If you log in twice with the same user, even for a second, it screws up the licensing of our product (we are working on solving that, but it takes a while to get to production for things like licensing). So what we really want is to be able to console to the machine (because you can only have 1 console session, this would solve our issue), but not to RDP with normal sessions. Even just allowing a single session still allows users to RDP and local console at the same time.
Not sure if this would work but maybe you can deny all users to log on from the network in the local security policy of the server. But that likely will also restrict them from using the mstsc /console.
is Terminal Services disabled? (it should be). Terminal Services is what allows multiple RDP sessions at once...
Click On Start
Click On Run
Type mstsc /console
Type IP Address or Hostname of server
mstsc brings up the remote desktop connection and the /console switch tells it what session to use
Click On Run
Type mstsc /console
Type IP Address or Hostname of server
mstsc brings up the remote desktop connection and the /console switch tells it what session to use
I forgot to mention, if you do this on one of your client machines, you can configure it via the options button and then save the .rdp to the desktop etc for quick access to the console
Sorry I have reread Author comments,
The_Kirschi: has given a nearly complete solution, rather than changing sessions from 2 to 1, change the value to 0
The_Kirschi: has given a nearly complete solution, rather than changing sessions from 2 to 1, change the value to 0
ASKER
Tried that, it doesn't work. That disables all remote sessions including console.
I tried that, too. And with "0" you cannot connect at all via RDP, only locally.
If the information found in the following link is true (and it seems to be as it is from a Technet blog) then it should be your solution:
http://blogs.technet.com/tonyso/archive/2006/10/19/using-the-rdp-console-session.aspx
Have a look at the lower half of the article. (1. - 7.)
If the information found in the following link is true (and it seems to be as it is from a Technet blog) then it should be your solution:
http://blogs.technet.com/tonyso/archive/2006/10/19/using-the-rdp-console-session.aspx
Have a look at the lower half of the article. (1. - 7.)
ASKER
I read the article. While It will do what I want if we force users to use mstsc /console. Since there is still the availability to RDP into it, there is still the option of RDP'ing in without using the console switch, thereby allowing the local console and a remote session with the same user. I know this is a tricky one, and maybe there is no solution to it. I was thinking maybe there was a registry setting that would revert W2K3 server to the same mode as Windows XP Pro Remote administration mode. I guess there isn't though. I have researched long and hard all over the net and still have yet to find a way to do this.
If you read the article then you have read point 7.
It clearly states that their can be only one connection "... and only through the console...".
If you can only connect through the console then you should not be able to connect without the /console switch. And I think this is, what you require.
Did you actually try it? I will try later myself.
It clearly states that their can be only one connection "... and only through the console...".
If you can only connect through the console then you should not be able to connect without the /console switch. And I think this is, what you require.
Did you actually try it? I will try later myself.
ASKER
I read it. It states only one REMOTE connection. That is the key. That means that someone could be logged on locally, and if a second person attempts to log on remotely without using the /console option, it will create a second session instead of logging off the local console user. Where as if you were using Windows XP the local console user would be logged off automatically.
I found another setting that might be helpful.
In Terminal Services Configuration in the Server Settings you can specify "Restrict each user to one session". If you set this to "Yes" it should ensure that each user can log in only once.
In Terminal Services Configuration in the Server Settings you can specify "Restrict each user to one session". If you set this to "Yes" it should ensure that each user can log in only once.
Sorry, I didn't mean to offend you.
Ok, that doesn't seem to help, too:
http://support.microsoft.com/?scid=kb%3Ben-us%3B302883&x=9&y=13
And also this is only for remote sessions and not for local log in. But you could additionally deny the "Log on locally" permission for the appropriate users on the server.
But also this obviously leaves still the "hole" described in the article mentioned above.
The more I get into this, the more I am afraid that you are right and there is no real solution to this.
http://support.microsoft.com/?scid=kb%3Ben-us%3B302883&x=9&y=13
And also this is only for remote sessions and not for local log in. But you could additionally deny the "Log on locally" permission for the appropriate users on the server.
But also this obviously leaves still the "hole" described in the article mentioned above.
The more I get into this, the more I am afraid that you are right and there is no real solution to this.
ASKER
its ok I have a tough skin. :) I believe I agree. Windows XP Pro uses console redirection, where as W2K3 uses true Terminal Services. I think that is the main culprit. I was hoping I could turn off Term services and turn on some registry setting that allows console redirection, but I guess that probably isn't the case.
Hi,
I found something that might be the solution for your problem though it didn't manage to test it yet:
http://www.amset.info/windows/limit-logins.asp
Based on a network share that you mount each time the user logs in it is determined whether the user is already logged in. If she is she gets logoff immediately.
The question that came to my mind is:
What happens if the user disconnects the mapped network drive on the other session?
I will try to test it in a few minutes myself.
I found something that might be the solution for your problem though it didn't manage to test it yet:
http://www.amset.info/windows/limit-logins.asp
Based on a network share that you mount each time the user logs in it is determined whether the user is already logged in. If she is she gets logoff immediately.
The question that came to my mind is:
What happens if the user disconnects the mapped network drive on the other session?
I will try to test it in a few minutes myself.
Hi again,
I tried it myself and it works like a charm... As long as the drive is mapped, that is.
If I have the drive connected I get logged of immediately after logging in, locally and via RDP.
Now you will need to find how to deny users to disconnect the network drive.
Lets see....
I tried it myself and it works like a charm... As long as the drive is mapped, that is.
If I have the drive connected I get logged of immediately after logging in, locally and via RDP.
Now you will need to find how to deny users to disconnect the network drive.
Lets see....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
great, that looks like it should work for my needs. If they want to go that far, then good luck to them. I'm not their nanny. Good work Kirschi!
Thanks (also for the points). Glad to be of help.
it's cheap and it works like magic.