Disable Administrator Group Access via RDP

paulmedynski · 04-17-2008

I have 3 users on my Vista Ultimate box: one for me, one for my wife, and one for RDP access. All three are in the administrators group because Windows makes it pretty much impossible to make real use of the computer without admin access. The two for myself and my wife do not have passwords because it would be annoying (the computer is physically secured within my home, so nobody has unauthorized access to it). The RDP user has a strong password. Back in Windows XP I could explicitly remove all users from the RDP access list except the specific RDP user. In Vista, all users in the Administrators group have RDP access and there's no way for me to remove the two users with no passwords. I ran a quick test, and I can RDP into my box with all three of the users, leaving the password field blank for my and my wife's users. This is totally unacceptable. How can I explicitly remove my and my wife's users from the RDP access list WITHOUT removing them from the Administrators group? I'm also open to other solutions, but they can't cripple my and my wife's accounts. We're not n00bs that need protection from ourselves.

Thanks,
-Paul

**dmex** · 04-17-2008

Hello paulmedynski and welcome to VistaX64!

Its possible to block the users from using Remote Desktop via Policy...
Type Local Security Policy into the start-menu searchbox then goto [Local Policys >> User Rights Assignment >> Deny Logon Through Terminal Services]

Just check the policy is working by logging on locally and remotely but should work perfectly...Im guessing you have allready been using the local security policy because by default no user can logon via RDP with blank passwords so I advise you change that setting back or anyone can still use your account to logon via RDP.

Steven

paulmedynski · 04-17-2008

Thanks dmex. I'll try this when I get home.

Regarding the Local Security Policy - yes I think I did have to change something to allow non-interactive logins without passwords. This was so I could install and use the Direct User Switching Task (Direct User Switching Task) since I can't find anything else similar to XP's Super Fast User Switching. I think I was guided to enable logons without passwords in order to be able to reliably switch between my and my wife's sessions. The DUST tool is invaluable - it takes literally 1 second to switch between users (using Win+Q like the SFUS used to), so removing it isn't an option. If anyone has a suggestion for getting a more native Super Fast User Switching working on Vista, please let me know.

I'm concerned that DUST probably uses Terminal Services to perform its switching, so denying login via TS for my non-password users may defeat DUST. Let's hope that isn't the case.

-Paul

paulmedynski · 04-21-2008

Thanks dmex,

I disabled Terminal Services login for both my and my wife's users, and RDP doesn't allow them to login anymore. The DUST tool also still works, which is great. You are correct, I did have to disable the local security policy that restricts non-welcome screen logins without a password. That's the only way that DUST can do seamless user switching without popping up a password dialogue. This is the same behaviour that the XP Super Fast User Switching PowerToy had, so I'm happy it is retained in Vista. It sucks that Microsoft didn't supply a similar feature builtin to Vista.

-Paul

04-17-2008	#1 (permalink)
paulmedynski Newbie Join Date: Apr 2008 Vista Ultimate AMD64 Posts: 3	Disable Administrator Group Access via RDP I have 3 users on my Vista Ultimate box: one for me, one for my wife, and one for RDP access. All three are in the administrators group because Windows makes it pretty much impossible to make real use of the computer without admin access. The two for myself and my wife do not have passwords because it would be annoying (the computer is physically secured within my home, so nobody has unauthorized access to it). The RDP user has a strong password. Back in Windows XP I could explicitly remove all users from the RDP access list except the specific RDP user. In Vista, all users in the Administrators group have RDP access and there's no way for me to remove the two users with no passwords. I ran a quick test, and I can RDP into my box with all three of the users, leaving the password field blank for my and my wife's users. This is totally unacceptable. How can I explicitly remove my and my wife's users from the RDP access list WITHOUT removing them from the Administrators group? I'm also open to other solutions, but they can't cripple my and my wife's accounts. We're not n00bs that need protection from ourselves. Thanks, -Paul

04-17-2008	#2 (permalink)
dmex ʛٯᴙᵁ Join Date: May 2007 Vista Ultimate Posts: 1,713 Location: Fremantle, Western Australia	Re: Disable Administrator Group Access via RDP Hello paulmedynski and welcome to VistaX64! Its possible to block the users from using Remote Desktop via Policy... Type Local Security Policy into the start-menu searchbox then goto [Local Policys >> User Rights Assignment >> Deny Logon Through Terminal Services] Just check the policy is working by logging on locally and remotely but should work perfectly...Im guessing you have allready been using the local security policy because by default no user can logon via RDP with blank passwords so I advise you change that setting back or anyone can still use your account to logon via RDP. Steven

04-17-2008	#3 (permalink)
paulmedynski Newbie Join Date: Apr 2008 Vista Ultimate AMD64 Posts: 3	Re: Disable Administrator Group Access via RDP Thanks dmex. I'll try this when I get home. Regarding the Local Security Policy - yes I think I did have to change something to allow non-interactive logins without passwords. This was so I could install and use the Direct User Switching Task (Direct User Switching Task) since I can't find anything else similar to XP's Super Fast User Switching. I think I was guided to enable logons without passwords in order to be able to reliably switch between my and my wife's sessions. The DUST tool is invaluable - it takes literally 1 second to switch between users (using Win+Q like the SFUS used to), so removing it isn't an option. If anyone has a suggestion for getting a more native Super Fast User Switching working on Vista, please let me know. I'm concerned that DUST probably uses Terminal Services to perform its switching, so denying login via TS for my non-password users may defeat DUST. Let's hope that isn't the case. -Paul

04-21-2008	#4 (permalink)
paulmedynski Newbie Join Date: Apr 2008 Vista Ultimate AMD64 Posts: 3	Re: Disable Administrator Group Access via RDP Thanks dmex, I disabled Terminal Services login for both my and my wife's users, and RDP doesn't allow them to login anymore. The DUST tool also still works, which is great. You are correct, I did have to disable the local security policy that restricts non-welcome screen logins without a password. That's the only way that DUST can do seamless user switching without popping up a password dialogue. This is the same behaviour that the XP Super Fast User Switching PowerToy had, so I'm happy it is retained in Vista. It sucks that Microsoft didn't supply a similar feature builtin to Vista. -Paul

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode