Change RDP Port for a domain

I have two 64-bit Server 2008 domain controllers and all workstations are Windows XP and Windows 7.  i have tried using NUTS.EXE to convert my registry key to .ADM file to push out via group policy but it doesn't work.  (perhaps user error?)

Can anyone provide step by step instructions regarding the best method  to change the RDP port from 3389 to a custom port with the least amount of effort?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
Is there a reason you don't want to make the change on the router? You could use the non standard port on the outside and the router can translate it internally to 3389
mkraemer11Author Commented:
We had a recent security audit and one of our feedback items was that the default RDP port should be changed.  We use RDP internally quite a lot internally.  The main reason this was recommended is because newer strains of worms are now capable of infecting machines via RDP if the port is the default 3389.

So I do need to change it internally on all workstations and servers in order to comply with our recent audit remediation recommendations.
Randy DownsOWNERCommented:
You can change it with the registry so maybe push the reg out to the clients. I would test it carefully in a test domain 1st.

Converting a Registry Change into ADM Keywords
The biggest challenge may be finding a useful registry change that you want to distribute. For example, take the following change that allows you to move the printer spool folder. Remember that before you point the spool to a new folder, that folder must be created. You can then make the following change to the registry:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  ( ) How to back up and restore the registry in Windows

1.Start Registry Editor (Regedt32.exe).
2.Locate the DefaultSpoolDirectory value under the following key in the registry:
                                    NOTE: The above registry key is one path; it has been wrapped for readability.
3.On the Edit menu, click String, type X:\Pathname (for example, D:\Printing), and then click OK.
4.Quit Registry Editor.
This change to the registry must be converted into a template format so that HKEY becomes CLASS (Machine or User), Key becomes KEYNAME, and Value becomes VALUENAME (followed by NUMERIC if the type is BINARY or DWORD).

if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

mkraemer11Author Commented:
I will try this tomorrow and let you know the results.

Rob WilliamsCommented:
If you have a 2008 or 2008 R2 domain controller, instead of creating an adm file you can use group policy preferences. Create a new GPO linked the the OU/s that hold the computers/servers you wish to affect. Then within the new GPO go to:  computer configuration | preferences | Windows settings | right click on registry and manually create a new registry value, or use the wizard to extract the value from the current machine and it will create the policy to push out the registry change to all computers/servers in the appropriate OU.

With server 2008 the better and more secure option though would be to set up an RD gateway which requires an SSL certificate and uses port 443 externally and redirects to 3389 internally.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mkraemer11Author Commented:
Number-1 :  This method did not work and one fo the links you sent me was irrelevent (vmWare)

RobWill:  I followed your instructions and have run gpupdate /force and even restarted the workstation but the port is still the default 3389.  I confirmed the policy is applied to the correct container and the computer is assigned to the container.  Am I missing something?
Rob WilliamsCommented:
Should be straight forward.
If you run   gpresult    on one of the affected PC's do you see it lissted as a policy and if so are there any errors reported?
mkraemer11Author Commented:
The policy is listed and I don't see any errors.  The only thing that doesn't look right is that it it applying the policy from my secondary domain controller rather than the primary.
Rob WilliamsCommented:
If it is the correct policy name, using secondary DC should not be a problem.
It does require a reboot, which I appreciate you said you did.
There are some policies that require multiple logons or reboots. In other words the policy has to be updated and then a reboot and it may take two to do so. I can't see that being the case here, but perhaps give that a try.

Just to confirm, Small Business Server is not involved here is it?
mkraemer11Author Commented:
No SBS.  Server 2008 Enterprise and Server 2008 R2 Enterprise.
mkraemer11Author Commented:
Yes!  it is working.  It seems to be sort of trickling down to more machines now.  Strange how gpupdate /force did not initially apply the new policy update, but all that matters is that this worked.

Thank you so much.

Best regards,

mkraemer11Author Commented:
Although the input provided by Number-1 was not the final solution, there was some good information there and the time spent putting that together was appreciated.  I awarded 100 points to Number-1 for the effort.
Rob WilliamsCommented:
Did you run GPupdate on the server or PC's? Running on the PC's it should have taken affect right after re-boot. Regardless it should apply to all PC's automatically after about 90 minutes. They may need to be reboot.
Glad to hear it is working.
Thanks mkraemer11.
mkraemer11Author Commented:
ran gpupdate /force but that didn't change anything.  AFter about 90 minutes, like you said, machines started receiving the policy change.

Thanks again!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.