How to restrict nested remote desktop sessions?

Vera Noest [MVP]

2005-04-06 22:20:58 UTC

The easiest way to achieve this is by changing the NTFS permission
on mstsc.exe on the server.
But that won't work if your users are local Administrators, and
they really shouldn't be! If they are, you have far more problems
ahead of you than users starting nested rdp sessions.

I understand that some applications don't work out-of-the-box on a
TS, but it should *never* be necessary to make users
Administrators.

Instead, download FileMon and RegMon from
http://www.sysinternals.com/. Run them as administrator (when no
user is connected), start a TS session as a normal user and try to
run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"=?Utf-8?B?VzJLM05ld2JpZQ==?="

Post by W2K3Newbie
I need to find a way to block out nested remote desktop sessions
on Windows 2003 servers... for example, if a user makes a remote
desktop connection from his XP workstation over to server "A",
and then from that remote session, makes a subsequent remote
desktop connection over to server "B". I want to be able to
force the user to only go directly from his workstation to each
server via remote desktop, but I don't to prohibit remote
desktop sessions from server "A" to server "B" when you're
sitting at server A's physical console. Is this possible? All
users of remote desktop sessions have to log in as local
administrator too, because of the stupid way the application
running on each server was written.