How to Block Domain Administrator from RDP Access in Windows Server 2012 R2 with RD Session Host


1 views

When dealing with Remote Desktop Services in Windows Server 2012 R2, there are multiple layers of permission checks that occur:

1. Network Level Access (Firewall/Port)
2. Server-Level "Allow log on through Remote Desktop Services" policy
3. RDSH Collection Settings
4. Local "Remote Desktop Users" group membership

Even when the domain Administrator isn't explicitly granted access through these channels, built-in Windows security mechanisms allow local administrators RDP access by default. Here's the technical breakdown:

// PowerShell to verify current settings
Get-LocalGroupMember -Group "Remote Desktop Users"
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections"

For comprehensive blocking, we need to implement multiple controls:

1. Group Policy Method

Create or modify a GPO that applies to your target servers:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
Find "Deny log on through Remote Desktop Services" and add "Domain Admins" group

2. Registry Modification

For additional enforcement, set this registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"AllowRemoteRPC"=dword:00000000

3. Session Collection Configuration

For RD Session Host collections, explicitly set permissions:

# PowerShell to modify collection permissions
Import-Module RemoteDesktop
$collection = Get-RDSessionCollection -CollectionName "YourCollection"
Set-RDSessionCollectionConfiguration -CollectionName $collection.CollectionName -UserGroup "DOMAIN\AllowedUsers"

After implementation, test with:

# Test RDP access attempt logging
Get-EventLog -LogName Security -InstanceId 4625 -After (Get-Date).AddHours(-1) | 
Where-Object {$_.Message -like "*Administrator*"} |
Select-Object TimeGenerated,Message

For environments requiring more granular control:

  • Implement Just Enough Administration (JEA) in PowerShell
  • Configure Restricted Admin mode for RDP
  • Deploy Privileged Access Workstations (PAWs)

When configuring Remote Desktop Services on Windows Server 2012 R2, you might encounter a situation where the domain Administrator account can still RDP into the server despite being excluded from the "Allowed to connect" user groups. This occurs because of Windows' built-in permissions hierarchy.

The domain Administrator account is part of the local "Administrators" group, which by default has these permissions:


# Check current RDP permissions via PowerShell:
(Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAccess

Even if you remove the Administrator from Remote Desktop Users group, the account maintains access through the BUILTIN\Administrators group membership.

Here's how to properly restrict RDP access while maintaining operational functionality:

Method 1: Using Group Policy (Recommended)

Create a new GPO and apply it to your terminal servers:


1. Open Group Policy Management
2. Create a new GPO named "Terminal Server Security - RDP Restrictions"
3. Navigate to:
   Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
4. Modify "Allow log on through Remote Desktop Services":
   - Remove "Administrators" group
   - Add specific security groups for permitted users
5. Add the following registry setting to prevent admin token creation:
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
   "FilterAdministratorToken"=dword:00000001

Method 2: Direct Server Configuration

For individual servers not managed by GPO:


# PowerShell script to modify RDP permissions:
$wmi = Get-WmiObject -Class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
$wmi.SetUserAllowed("DOMAIN\Administrator", $false) | Out-Null

# Disable admin token generation:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "FilterAdministratorToken" -Value 1

For RD Session Host servers with collections, additional steps are needed:


1. Open Remote Desktop Services Manager
2. Right-click the collection → Properties
3. Security tab → Remove "DOMAIN\Administrator" from permissions
4. Under User Groups, ensure no admin groups are listed
5. Set "Require user authentication for remote connections" to Enabled

After implementing these changes, verify with:


Test-RDManagement -DomainAdministrator "DOMAIN\Administrator" -ServerName "YOURSERVER"

This should return "AccessDenied" for RDP attempts while allowing proper elevation via Run As.

  • Create dedicated service accounts for administrative tasks
  • Implement Just Enough Administration (JEA) endpoints
  • Configure LAPS for local admin password management
  • Enable RDP Network Level Authentication (NLA)