Discussion:
Change logon /disable - except admin
(too old to reply)
AlexT
2007-04-09 21:33:48 UTC
Permalink
Folks

The subject says it all... Is there a (quick) way to disable logon
except for admins ?

Regards

--alexT
Vera Noest [MVP]
2007-04-09 22:17:56 UTC
Permalink
Can't check at the moment, so be sure to test it, but I'm fairly
certain that the change logon /disable command doesn't apply to the
console session.
So assuming that you run 2003, you would still be able to connect to
the console, with mstsc /console.

Another method could be to temporarily remove your normal user group
from the local Remote Desktop Users group on the TS.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by AlexT
Folks
The subject says it all... Is there a (quick) way to disable logon
except for admins ?
Regards
--alexT
Soo Kuan Teo [MSFT]
2007-04-09 23:11:02 UTC
Permalink
If I understand correctly, Change logon change the winlogon behavior, this
means it should affect RDP-Tcp and console connections.
Another option would be to set the permissions to logon from
TSCC->RDP-Tcp->Permissions to 'deny'

Thanks
Soo Kuan
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Vera Noest [MVP]
Can't check at the moment, so be sure to test it, but I'm fairly
certain that the change logon /disable command doesn't apply to the
console session.
So assuming that you run 2003, you would still be able to connect to
the console, with mstsc /console.
Another method could be to temporarily remove your normal user group
from the local Remote Desktop Users group on the TS.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by AlexT
Folks
The subject says it all... Is there a (quick) way to disable logon
except for admins ?
Regards
--alexT
Vera Noest [MVP]
2007-04-09 23:32:57 UTC
Permalink
Mmm, that sounds plausible.
I'll test it tomorrow at work and report back here.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by Soo Kuan Teo [MSFT]
If I understand correctly, Change logon change the winlogon
behavior, this means it should affect RDP-Tcp and console
connections. Another option would be to set the permissions to
logon from TSCC->RDP-Tcp->Permissions to 'deny'
Thanks
Soo Kuan
Vera Noest [MVP]
2007-04-10 14:28:01 UTC
Permalink
You were absolutely right, Soo Kuan!
Folks, don't use this, you will also lock yourself out from console
connections! Sorry, I should have tested first.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by Vera Noest [MVP]
Mmm, that sounds plausible.
I'll test it tomorrow at work and report back here.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by Soo Kuan Teo [MSFT]
If I understand correctly, Change logon change the winlogon
behavior, this means it should affect RDP-Tcp and console
connections. Another option would be to set the permissions to
logon from TSCC->RDP-Tcp->Permissions to 'deny'
Thanks
Soo Kuan
AlexT
2007-04-10 14:48:22 UTC
Permalink
Post by Vera Noest [MVP]
You were absolutely right, Soo Kuan!
Folks, don't use this, you will also lock yourself out from console
connections! Sorry, I should have tested first
Well... any other idea ?

:)

Regards

-alexT
Dragos CAMARA
2007-04-10 18:32:04 UTC
Permalink
hi,
try to set the number of connections to 0 on rdp-tcp properties.
--
Dragos CAMARA
MCSA Windows 2003 server
Post by AlexT
Post by Vera Noest [MVP]
You were absolutely right, Soo Kuan!
Folks, don't use this, you will also lock yourself out from console
connections! Sorry, I should have tested first
Well... any other idea ?
:)
Regards
-alexT
Vera Noest [MVP]
2007-04-10 20:08:17 UTC
Permalink
That will also lock everyone out, included Administrators.
Same problem as change logon /disabled.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by Dragos CAMARA
hi,
try to set the number of connections to 0 on rdp-tcp properties.
Vera Noest [MVP]
2007-04-10 20:07:20 UTC
Permalink
Yes.
Both Soo Kuan and I suggested an alternative (changing the rdp
permissions)
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by AlexT
Post by Vera Noest [MVP]
You were absolutely right, Soo Kuan!
Folks, don't use this, you will also lock yourself out from
console connections! Sorry, I should have tested first
Well... any other idea ?
:)
Regards
-alexT
TP
2007-04-10 18:59:35 UTC
Permalink
I think the easiest method is to remove the Remote Desktop
Users group from the RDP-Tcp permissions when you need
to disable logons for regular users. This assumes you have
your permissions set to default. Use Terminal Services
Configuration (tscc.msc) for this.

I like to create a separate RDP listener (RDP-Admin) on a
new port, for example, 3390, for admin connections. I set
the permissions so that only admins can use it. That way I can
right-click on the default RDP-Tcp listener and choose
All Tasks-->Disable Connection when I need to disable logons
for normal users.

-TP
Post by AlexT
Folks
The subject says it all... Is there a (quick) way to disable logon
except for admins ?
Regards
--alexT
AlexT
2007-04-10 20:34:01 UTC
Permalink
Post by TP
I like to create a separate RDP listener (RDP-Admin) on a
new port, for example, 3390, for admin connections. I set
the permissions so that only admins can use it. That way I can
right-click on the default RDP-Tcp listener and choose
All Tasks-->Disable Connection when I need to disable logons
for normal users.
Sounds like a good idea... will have to test it :)

Thanks !

--alexT
TP
2007-04-10 20:45:20 UTC
Permalink
Okay.

Let me know if you need help creating the new listener.

-TP
Post by AlexT
Post by TP
I like to create a separate RDP listener (RDP-Admin) on a
new port, for example, 3390, for admin connections. I set
the permissions so that only admins can use it. That way I can
right-click on the default RDP-Tcp listener and choose
All Tasks-->Disable Connection when I need to disable logons
for normal users.
Sounds like a good idea... will have to test it :)
Thanks !
--alexT
Loading...