How to enable Restricted Admin Mode in Remote Desktop Connections

Remote Desktop is one of the favourite tool for every IT Pro and lot of times can give solutions for the simple users. But what about Security? Last years hacking , data breaches and infections with virus has increase dangerous. 

Security is challenge for every IT Pro today. This is a reason why today i decide to write this article which hasn't do with any of the topics that ususally write.

So Let's Start.

Overview

RestrictAdminMode it's a  feature of Remote Desktop in  which prevent the transmission of credentials to the remote PC while connect with Remote Desktop.

Enable RestrictAdminMode

If you would like to enable and use RestrictAdminmode in Remote Desktop first of all must enable the option in the Target Server.

If for example wants to connect remotely from your PC Iin Domain Controller must enable the RestrictAdminMode in Domain Controller and after use it from your PC.

  • Decide which servers wants to connect with RestrictAdminmode and add the following registry key
  • Login in the target server. Right click in Start Button - - > Run - - > type regedit to open Registry.

  • Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 
  • Create new DWORD Value with Name DisableRestrictedAdmin. The Value will be 0.

  • You don't need to Restart the Server. Just Log Off 
  • From the PC that you want to use Remote Desktop run the following command.
  • Right click in Start Button - - > Run and type Mstsc.exe /RestrictedAdmin

  • Connect in the Server that you have enable RestrictAdminMode.
  • You will observe that didn't ask for credentials while try to connect in the Server.
  • Now from the Server that you have connect Remotely try to open a network resource from another Server.
  • For example right click in Start Button and Select Computer Management.
  • Right click in Computer Management and Select Connect to Another Computer.

  • Type the computername that you want to connect.
  • After connect try to open the Services and you will see an Access Denied.

  • This happened because you have enable RestrectAdminMode and don't have access in any other  network Resource.
  • Or Try from Server Manager to Add another Server from All Servers. You can't.

 

Disable RestrictAdminMode

If you would like to Disable RestrictAdminMode open the Regedit and change the Value of DisableRestrictedAdmin from 0 to 1

  • Click in Start Button - - > Run - - > type regedit to open Registry.

  • Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa 
  • Change the  Value of DisableRestrictedAdmin from 0 to 1

 

It's very simple and you can use it if feel that need more security in the importance Area of your Network. 

Now it's your turn to explain if you have use this option or if it's the first time that you hear it through our commented system

Have a nice weekend !!!

Tags