Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to not allow client machines to save RDP credentials

Posted on 2015-01-20
8
Medium Priority
?
748 Views
Last Modified: 2015-01-28
Hello,

I have a long running dilemma.

I run a Remote Desktop Services environment. The staff all have laptops issued to them and use RDP to connect into their work environment.  Basically the laptops only server as a thin client to connect to the internal office environment.

I would like to force all the users to enter their username and password every time they connect to the office using RDP. This is for security reasons. However, by default RDP always has the "Remember my credentials" check box. Ideally I would prefer to have a setting on the server that will force the user to input their UN/PW regardless of whether they have checked that box. I have found no such solution though.

Alternatively. I have use the following registry entries on each client laptop. The laptops are all home editions of windows so they do not have GPO options. These entries are a pain, because they need to be entered on each client laptop, and cannot be done centrally on the server.

Here are the entries I have used:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"DisablePasswordSaving"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client]
"fEnableUsbNoAckIsochWriteToDevice"=dword:00000050
"fEnableUsbBlockDeviceBySetupClass"=dword:00000001
"fEnableUsbSelectDeviceByInterface"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbBlockDeviceBySetupClasses]
"1000"="{3376f4ce-ff8d-40a2-a80f-bb4359d1415c}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\UsbSelectDeviceByInterfaces]
"1000"="{6bdd1fc6-810f-11d0-bec7-08002be2092f}"


This was not ideal, but at least it worked. I am noticing that with newer 8.1 laptops these entries do not work either. Does anyone have any ideas?

Thanks in advance.
0
Comment
Question by:Corey Haecker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 400 total points
ID: 40559903
There's on more key you could try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]

"PromptForCredsOnClient"=dword:00000001
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40562323
On the server, go into Terminal Services Configuration, right-click on the RDP-TCP connection, go to the Logon Settings tab, and click the "Always prompt for password" check box. I think the users will still be able to save their user names, but this will at least force them to type their passwords each time.

:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40564687
Thanks Kimputer, that works!

TekServer - Any idea where this is located on server 2012? A bit of background. Each user has a dedicated VM running. Remote desktop services has all the VMs in a collection, and directs users to their VM based on their login creds.

It would be great if I could change this on the server and not need to set it on each individual client workstation.

Thanks for the assistance
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 10

Expert Comment

by:TekServer
ID: 40565476
Sorry, most of my clients are small & still running server 2008 or earlier. I did some brief Googling & saw that all of the old RDS tools appear to be combined into the new Remote Desktop Management Server (RDMS), so I'd start there. Apparently Powershell can also be used for more advanced options. I'll keep looking to see if I can find something more specific.
0
 
LVL 10

Accepted Solution

by:
TekServer earned 1600 total points
ID: 40573632
Sorry for the delay in getting back to this.  Apparently the setting to "Always prompt for password" is no longer accessible from the Server 2012 RDMS.  But the good news is you can still access it from Group Policy.  More on that here.

In Server 2008, I found that particular GPO setting at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Security.  I would expect that a GPO for Server 2012 wouldn't differ from that too much.  You can apply this setting in Default Domain Controller Policy or create a new GPO.

Hope this helps, let me know if you have any questions or problems.
:-)
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40573729
That's great. I will try it and report back.
0
 
LVL 1

Author Comment

by:Corey Haecker
ID: 40574511
Excellent, the Group Policy worked on the RDS server. The only difference is that server 2012 calls Terminal Services - Remote Desktop Services.

Thanks so much. I've been looking for this for a long time.
0
 
LVL 10

Expert Comment

by:TekServer
ID: 40575583
Glad I could help, thanks for the accept.

:-)
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question