How to disable RDP console on Server 2003 R2

I know this may seem like a simple question, but I was curious if there was a way to disable the ability to RDP into the Console of a Win Server 2003 R2 box?  I want to keep all other sessions, just remove the ability to use the console with RDP.

Things I have tried:

Using a WMI script:
Ex:
WMIC RDAccount where "TerminalName='console' and AccountName like '%administrators%'" call delete

I have also tried changing the following reg keys:

HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server \WinStation \Console

fEnableWinStation from 1 to 0
fLogonDisabled from 0 to 1

Any suggestions?

Thanks in advance...
LVL 1
nakoz69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nakoz69Author Commented:
Thanks for the reply, but that link is just information on how to enable/disable RDP with the possiblity of using Group Policies.  

My question is referring to "How to disable the Console in RDP"  not RDP itself.
0
mcrosslandCommented:
Please explain disable the console in RDP.  I don't follow.
The console, is physical access to the computer's keyboard, mouse, and video.
RDP is remote access.
Please elaborate if you would.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

nakoz69Author Commented:
When using RDP depending on which version you have installed, you can use the /console or /admin option to have direct access to the windows console on the box.  I want to know how I can disable this ability without having to disable RDP all together.  
0
mcrosslandCommented:
Your WMI Script looks to be the correct method.
Could it be that the user your trying to connect RDP console is not in the Administrators group?
0
nakoz69Author Commented:
The account I am testing with is the "Administrator" account that is currently the only user in the "Administrators" group.  

I am testing on a clean box with only the local admin account.  I want to make sure I eliminate any variables that could cause it not to work.

I ran the script above and it said it executed correctly, but after a few reboots, the ability to remote to the console is still there.

Any other suggestions?
0
mcrosslandCommented:
Hang in there.   Allow me to test it on mine.
0
mcrosslandCommented:
after connecting RDP, go into the Terminal Services Manager and let me know what is under "Session" for your administrator.  Be sure that your console is logged off.
0
mcrosslandCommented:
Should be 0
0
nakoz69Author Commented:
It says ID is "0"
0
mcrosslandCommented:
In terminal services configuration, do you ahve "Restrict each user to one session" as YES?
0
mcrosslandCommented:
typo:  have
0
mcrosslandCommented:
OK.  After testing this on mine, I found that I am still able to RDP to 0.
Can't find a solution out there anywhere for this.
Let me put this to you now that I have failed.  LOL
Why are you trying to disable administrator access to the console session?
0
mcrosslandCommented:
One more option.
http://www.raseley.com/2009/04/21/deny-logoff-of-an-administrator-logged-in-to-the-console-session/ 
Keep the administrator logged in and deny logoff of the console.   Lock the console instead of logging off.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nakoz69Author Commented:
Ok I think I finally got it figured out.

Start>Run>gpedit.msc

Then goto Administrative Templates>Windows Components>Terminal Services and enable the setting “Deny Log off of an administrator logged into the console session”

Close gpedit.msc
And from the command line run “gpupdate.exe /force”

I tested this on my 2k3 R2 box and when you try to login to the console from RDP it tells you, you must have admin privileges, and then takes you back to the login screen.

0
mcrosslandCommented:
Perfect!   So the deny logoff method does work.  Glad to hear it.
0
mcrosslandCommented:
Was hoping that you would notice that I posted that before you mentioned the fix.  ;)
0
nakoz69Author Commented:
Thanks for taking the time to help mcrossland!  Points awarded!
0
mcrosslandCommented:
You are very welcome.   Have a great day!
MC
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.