none
Block Local Built In PC Administrator account from logging in for via Remote Desktop Services

    Question

  • Hi,

    We would like to prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services. I have found the necessary policy to do this:

    Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment and then

    'Deny log on through Remote Desktop Services'

    Whilst enable this and defining the policy is not a problem, I am not sure of the syntax or correct form to add the built in administrator for the PC it is being applied to.

    BUILTIN\Adminstrators is the whole group, don't want to do that, domain users/groups are easy. .\Administrator doesn't work. Typing in just 'Administrator' is allowed, but I am not sure which administrator that is applying to!

    Any thoughts would be great. Thanks in advance.

    Thursday, August 27, 2015 7:20 AM

Answers

All replies

  • As per my test, simply add Administrator will be resolved as the built-in domain administrator.

    -

    By default, the local built-in Administrators group has the right to logon via RDS, and the local Administrator account is the member of the Administrators group.

    -

    So one workaround here to "prevent the local administrator account on each PC from having rights to logon via Remote Desktop Services", is to remove the local administrator account from the built-in administrators group, via Restricted group policy:

    https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups

    A.B

    Monday, August 31, 2015 7:36 AM
  • Hi,
     
    Just checking in to see if above information was helpful. Please let us know if you would like further assistance.
     
    Thanks,
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, September 03, 2015 11:36 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 07, 2015 4:17 AM
    Moderator