none
Enabling Restricted Admin mode RRS feed

  • Question

  • Hi

    We are planning to implement Restricted Admin mode to all servers through GPO. But we are not clear on the settings to be applied, whether it's applied only to target servers (so that only Restricted RDP will be allowed and normal RDP will be denied) or apply the policy to both client systems initiating RDP and also to target systems (so that mstsc /restrictedadmin will be enforced automatically and with the servers the RDP session will be in restricted mode)? So if we apply only to servers means it accepts both normal RDP and Restricted admin mode RDP, right? 

    As per the blog "https://blogs.technet.microsoft.com/canitpro/2016/06/23/step-by-step-enabling-restricted-admin-mode-for-remote-desktop-connections/", with the servers we need to enable it through registry / gpo

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0

    With the client machines, need to enable the GPO to enforce the restricted mode

    Policies → Administrative Templates → System → Credentials Delegation : Restrict delegation of credentials to remote servers Enabled with Restricted mode as "Require Restricted Admin" 

    Please let us know whether there are any drawbacks / functionality issues with this setting, we are planning to apply this GPO to all systems including servers & clients

    Thanks in advance


    LMS

    Thursday, September 12, 2019 9:56 AM

All replies

  • Hi,

    This setting is applied to RDP client(windows client/server which establish remote session). That means, RDP client which has such GP applied will establish remote session use Restricted Admin mode by default. It is not applied to the remote server sides and server will accept both normal and restricted admin mode. 

    The blog you had mentioned, provides two ways to enable restrictions admin mode, registry or GP. It is a security configuration which avoid exposing RDP client user credentials to remote systems, however, it limits the user permission on remote system, as mentioned in the blog, neither manager remote server system via server manager nor access network resource is working. 

    I would recommend you to enable this function on one or two systems first, test for a period of time, if general used application and operation are not effected, you can deploy it to other systems. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 13, 2019 3:27 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 16, 2019 1:32 AM
    Moderator
  • Thank You Eve

    Still it's not clear to me. What we understood is, to enable Restricted Admin feature with RDP, 1st we need to enable the feature with all servers with below registry value

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0

    From clients we can use both normal RDP & Restricted Admin RDP (if we use mstsc /restrictedadmin). To enforce this feature we can apply below GPO with client machines

    Policies → Administrative Templates → System → Credentials Delegation : Restrict delegation of credentials to remote servers Enabled with Restricted mode as "Require Restricted Admin"

    Is this correct?

    We will apply this with dev / quality servers and then will apply with other servers.

    is there any known issues with Domain Controllers / Exchange servers with this settings?

    Thank You


    LMS

    Monday, September 16, 2019 8:58 AM