Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to disable RDP console on Server 2003 R2

Posted on 2010-08-17
19
Medium Priority
?
1,916 Views
Last Modified: 2013-11-21
I know this may seem like a simple question, but I was curious if there was a way to disable the ability to RDP into the Console of a Win Server 2003 R2 box?  I want to keep all other sessions, just remove the ability to use the console with RDP.

Things I have tried:

Using a WMI script:
Ex:
WMIC RDAccount where "TerminalName='console' and AccountName like '%administrators%'" call delete

I have also tried changing the following reg keys:

HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server \WinStation \Console

fEnableWinStation from 1 to 0
fLogonDisabled from 0 to 1

Any suggestions?

Thanks in advance...
0
Comment
Question by:nakoz69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 6
19 Comments
 
LVL 10

Expert Comment

by:mcrossland
ID: 33457502
0
 
LVL 1

Author Comment

by:nakoz69
ID: 33457627
Thanks for the reply, but that link is just information on how to enable/disable RDP with the possiblity of using Group Policies.  

My question is referring to "How to disable the Console in RDP"  not RDP itself.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33457698
Please explain disable the console in RDP.  I don't follow.
The console, is physical access to the computer's keyboard, mouse, and video.
RDP is remote access.
Please elaborate if you would.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:nakoz69
ID: 33457807
When using RDP depending on which version you have installed, you can use the /console or /admin option to have direct access to the windows console on the box.  I want to know how I can disable this ability without having to disable RDP all together.  
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33457907
Your WMI Script looks to be the correct method.
Could it be that the user your trying to connect RDP console is not in the Administrators group?
0
 
LVL 1

Author Comment

by:nakoz69
ID: 33457940
The account I am testing with is the "Administrator" account that is currently the only user in the "Administrators" group.  

I am testing on a clean box with only the local admin account.  I want to make sure I eliminate any variables that could cause it not to work.

I ran the script above and it said it executed correctly, but after a few reboots, the ability to remote to the console is still there.

Any other suggestions?
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458006
Hang in there.   Allow me to test it on mine.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458213
after connecting RDP, go into the Terminal Services Manager and let me know what is under "Session" for your administrator.  Be sure that your console is logged off.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458274
Should be 0
0
 
LVL 1

Author Comment

by:nakoz69
ID: 33458358
It says ID is "0"
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458464
In terminal services configuration, do you ahve "Restrict each user to one session" as YES?
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458467
typo:  have
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458728
OK.  After testing this on mine, I found that I am still able to RDP to 0.
Can't find a solution out there anywhere for this.
Let me put this to you now that I have failed.  LOL
Why are you trying to disable administrator access to the console session?
0
 
LVL 10

Accepted Solution

by:
mcrossland earned 2000 total points
ID: 33458816
One more option.
http://www.raseley.com/2009/04/21/deny-logoff-of-an-administrator-logged-in-to-the-console-session/ 
Keep the administrator logged in and deny logoff of the console.   Lock the console instead of logging off.
0
 
LVL 1

Author Comment

by:nakoz69
ID: 33458865
Ok I think I finally got it figured out.

Start>Run>gpedit.msc

Then goto Administrative Templates>Windows Components>Terminal Services and enable the setting “Deny Log off of an administrator logged into the console session”

Close gpedit.msc
And from the command line run “gpupdate.exe /force”

I tested this on my 2k3 R2 box and when you try to login to the console from RDP it tells you, you must have admin privileges, and then takes you back to the login screen.

0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33458936
Perfect!   So the deny logoff method does work.  Glad to hear it.
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33459638
Was hoping that you would notice that I posted that before you mentioned the fix.  ;)
0
 
LVL 1

Author Comment

by:nakoz69
ID: 33464118
Thanks for taking the time to help mcrossland!  Points awarded!
0
 
LVL 10

Expert Comment

by:mcrossland
ID: 33465038
You are very welcome.   Have a great day!
MC
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question