Link to home
Start Free TrialLog in
Avatar of orbhot
orbhotFlag for United States of America

asked on

Can I allow non-administrators to log into console session?

I need to allow a user to log into a Windows 2003 server via Remote Desktop. I want them to be able to use the mstsc /console switch so that the can use the console session. However, the only way I know of doing this is to add this users to the local administrators group, which I don't want to do. Is there a way to let the user log into the console without adding them to admins?
Avatar of davidfencik
Flag of United States of America image

Considering the console is logged on by default by the DOMAIN\Administrator I don't think so.
You can use VNC to allow the user to overtake the console but not using mstsc.
Avatar of ggefter

in the active directory, there is an option in each users account, i think its on the dial in tab or the Terminal server tab, that will allow a user to log on remotely via a terminal server session. Uncheck the box that says "Deny the user permission to log onto a TS session" and on the dial -in tab that allows a person to dial in.
I stand corrected ^^.
I'll have to give that a try!
You can set it on a Server - by Server basis by adding the user to the "Remote Desktop Users" group (which can be found by running compmgmt.msc

Avatar of orbhot


Psy053, you are not correct... adding them to RD users just allows them to log in, it does not allow them to log into the consoles session (session 0) unless they are in the Administrators group.
Avatar of orbhot


davidfencik, I looked through that page and that does not work... I have Users and Administrators already set under "Allow log on locally" in Local Policies/User Rights Assignment and, unless someone is in the local Administrators group, they get an error when trying to log onto a console session voe mstsc /console.
Look in the computer configuration local security policy. There is another group policy object to allow cocsole access.
What do you want them to be able to do once they log onto the console?  Most fuctions that woudl require this would require admin access anyway.
Avatar of orbhot


rshooper76, I need them to have persistent sessions. In other words, if they X out/disconnect (not log off), when they reconnect they end up with a new session. If someone logs in with /console they can disconnect, then reconnect later on and return to that same session.

David, Which node is it under, I don't see it?
Set your RDP policy to only allow them to have one sesssion, that will solve your problem.  Having a general user log onto the console is generally a bad idea.

Avatar of orbhot
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I guess I wdon't completely understand what you are trying to do.  Only one user at a tiem can use the console session.  If your users simply need to only be allowed to have one session each then configure your RDP connection or Group Policy to restrict this.
I think what you need to do is to go to terminal services configuration and set the session limits.  You can disable the maximum time for a disconnected session there.  That way you can reconnect a day or two later and your session will be preserved.  It is not necessary or beneficial to connect to the console session.

You can also change these settings on a per-user basis.

Restricting each user to a single session meshes well with this configuration.