Link to home
Start Free TrialLog in
Avatar of WellingtonIS

asked on

Policy to Disable RDP for users on a specific server

I have 2 servers one is a 2003 server the other a 2008 server (they are both terminal servers).  I need a way to prevent users - not admins from using  (Accessing) MSTSC.exe or RDP to connect to their machines.  How can this be done?
Avatar of Haresh Nikumbh
Haresh Nikumbh
Flag of India image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of WellingtonIS


If you deny login via local policies won't that stop the users from connecting to the machine too?  Also I have yet to get the Software restriction policy to work regardless of what I do.   Not sure why because it's that complicated...  Maybe because it's 2003 and not 2008.
yes you can configure this policy on local machine too
I also created a hash registry setting to block MSTSC.exe I checked the policy and it's there too. But I can open RDP and connect to my computer...
I have tested on my pc and its working

have a look
I have the EXACT same thing except I did it for users instead of computers.  Maybe it's just time.  I'm updating the machine now with about 30 updates I'll reboot it and try again.  Thanks.  I also did the application blocker - see attached too.. It works on a windows 7 machine but no on 2003 server???
looks good,
Tried it on 2008 terminal server and it's not working there either???  Maybe you can't block it on a server?
change the permission of mstsc.exe file itself.........
I have applied policy on the local machine,  RDP screenshot which i have attached for my local machine.. which can not take RDP connection for any machine.
as i said before just edit the permission of the local mstsc.exe file.

no other users that you want can use the RDP.
If I do that then no one will be able to use RDP not even admins?
no.......... you can edit the permission to who or what group(s) can access mstsc.exe the file itself.

for example full control for Domain Admins and deny access to a group of users.

remember deny access will override granted access, so becareful with that.
I finally got this to work with the registry setting.
I wasn't sucessful blocking with a hash rule in the app blocker, however when I did it in the registry setting it worked.