[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4350
  • Last Modified:

Windows Server 2012 / 2012 R2 - How to allow more than one connection to RDSH / RDP in Admin Mode without enabling RDSH?

With Windows 2012  / 2012 R2, the administration programs in the Administrative Tools menu for RDP / Term Server / Remote Desktop Session Host server are MISSING unless you install the Remote Desktop Session Host (RDSH) role.

How can you DISABLE the default setting of, "RESTRICT USERS TO A SINGLE SESSION" in RDP?  I find that when we have multiple administrators using the same account, it is EXTREMELY useful to NOT interrupt another admin when they are doing important work, and therefore it is necessary to DISABLE this default setting.  Since in ADMIN mode you are allowed (3) connections (2 RDP and 1 via console), it can be very easy to accidentally interrupt another admin.

Furthermore, NOT being able to disable this makes the operating system LESS STABLE since you could potentially interrupt another admin at a critical time and accidentally cause havoc.  Yes, best practice is to NOT share accounts, but this is not reality.  It happens, whether they include this tool or not.  And if you ADD the session host role to be able to accomodate this, you now are obliged to enable and install a LICENSE server or you are UNABLE to RDP to this server any longer unless you REMOVE the session host role and reboot.

How can we disable this default setting?  Setting a GPO is possible but extremely invconvenient...setting local policy is also the same.  I tried adding the SNAP IN for Remote Desktop Session host, but it is not avaiable.  I have seen other posts referencing RE-ADDING the old Windows 2008 R2 DLL for the Term Server admin program and adding entire registry keys to accomodate this, but this seems dangerous and likely to cause an issue.....

Are there any other ideas?
0
jkeegan123
Asked:
jkeegan123
  • 2
1 Solution
 
Cliff GaliherCommented:
There is just no good way to do this anymore (legally) and EE does not permit discussions sidestepping licensing restrictions. The answer is don't share accounts. That *is* reality and has been for some time. I can honestly say that creating each admin their own account Js a ten-second affair and there is ZERO legitimate reason not to. Yes, you could "get away" with it in 2008 R2. That has changed and for those that put off following best practices, now they have to if they want multiple admins logged in. That's the reality now.
0
 
jkeegan123Author Commented:
Sorry Cliff, I was not talking about enabling more than the allowed connections (by default it's 3, 2 RDP and 1 on the console)...I was talking about when you configure RDP in Windows 2003 / 2008 / 2008R2 and uncheck the box, "Allow each user only one logon" ... we have a lot of overlap where admins use same accounts and accidentally steal another's session, to get around that we usually just uncheck the "ONLY ALLOW EACH USER 1 CONNECTION" in Administrative tools -- Remote Desktop -- Remote Desktop Configuration.  In Windows 2012 / 2012R2 that configuration applet does not exist, so you're ALWAYS stealing another admin's session.  

That is, until I figured out a way.  There are a lot of documented ways to bring back the OLD configuration console from 2008 R2, but I'm sure that the next service pack or something similar will break that...so the legit (and legal) way to change this I have found is:

REGEDIT and navigate to:  HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\
    Find REG_DWORD:  fSingleSessionPerUser
        Change default value of (1) to (0).

This does not change the max # of sessions allowed, but it will allow ADMINISTRATOR (or any other user) to be logged in twice with 2 separate sessions.  This prevents other admins from stepping on other admins toes.  AND it's just polite :)
0
 
jkeegan123Author Commented:
This solution solves the question asked.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now