1

I can't seem to be able to have multiple administrators connect to Windows Server 2008 R2 Standard. Each time a different administrator logs in, it takes the current session away from the user and gives it to them and boots the original user from the server.

I've also tried connecting 1 instance normally and a 2nd with the /admin flag on remote desktop and that didn't matter either.

Chris Marisic
  • 1,424
  • 8
  • 33
  • 51
  • 5
    Your problem is that you seem to have a **bad security practice of sharing an admin account**. You should create per-user accounts, so you know who screwed things up. Stop doing that. – Zoredache Dec 20 '11 at 18:01
  • 1
    @Zoredache and there things that matter, and things that matter more. This is not one of the ones that matter more. – Chris Marisic Dec 20 '11 at 18:33
  • 1
    @ChrisMarisic Obviously everyone's organization is different, but this is pretty basic. If an auditor were to come in and you fail an audit - or if data was compromised/stolen by a malicious admin- you would have no way to prove that it was the other guy and not you. This is an easy way for everyone to lose their job instead of just one bad apple and it should take no more than 5 minutes to configure. – MDMarra Dec 20 '11 at 18:43
  • @ChrisMarisic, so now you are at a point were the standard Windows functionality makes sharing a admin account a big PITA, it is time to seriously consider modifying your practices to be more in-line with what is more common, since it will work better. – Zoredache Dec 20 '11 at 18:53
  • @Zoredache it's been on the list, with how 2008 handles the rdc sessions however it just moved a few steps up the list. – Chris Marisic Dec 20 '11 at 20:35

3 Answers3

10

It is not about administrative sessions, it is about the user. Unless you reconfigure it the new default is only one session PER USER.

There was an issue with the old approah that sometimes the server would not recognize it is a reconnect so an admin would run out of sessions.

I suggest you just dont run multiple conections - ON ONE ACCOUNT. Create separate accounts per administrator, as is best practice anyway.

TomTom
  • 51,649
  • 7
  • 54
  • 136
10

Without any RDS licensing, Windows Server 2008 R2 allows for two concurrent connections for management from two different users. If you have two users sharing an administrative account, when one logs in he will "hijack" the open session of the other admin unless he explicitly connects to a new session, which is not the default RDP behavior.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • This is changed from how server 2003 behaves that allows multiple administrators to connect to the same machine? – Chris Marisic Dec 20 '11 at 18:08
  • No, this is the same. In 2003 and 2008(R2) you can have two simultaneous management connections via RDP. The problem is that you can never have two users connecting to manage the same server with the same user name. You'd need two separate accounts for two separate connections in both cases. – MDMarra Dec 20 '11 at 18:11
  • I swear it's always let me have 2 different sessions for 2 different users logged in as administrator on 2003. If it really doesn't I guess I could only be remembering a console session as the 2nd session. – Chris Marisic Dec 20 '11 at 18:22
  • Actually, upon further review, it looks like this **is** a change from the default behavior of 2003. – MDMarra Dec 20 '11 at 19:35
  • I was really sure I had done this on 2003, this post started to make me question my sanity. – Chris Marisic Dec 20 '11 at 20:32
  • You may want to consider changing the text of this accepted answer to the correct answer text provided by TomTom. – Greg Askew Dec 24 '11 at 15:00
  • @GregAskew care to elaborate? The two of us say the same thing essentially. – MDMarra Dec 24 '11 at 19:53
  • It does not need to be different users. For example, it is possible to logon the Administrator account in two sessions at the same time. As TomTom mentioned, this is due to the "Restrict each user to a single session" setting. Here is a screenshot from a Windows 2008 server: https://imgur.com/35sCN . An updated answer would primarily benefit others who read the selected answer in the future. – Greg Askew Dec 24 '11 at 20:23
  • @ChrisMarisic Sharing the password to the built-in Administrator account is enough to make *us* question your sanity. I would suggest that you immediately delegate appropriate administrative privileges to named admin accounts, rename the built-in domain administrator account, give it a long, complex, and non-memorable password -- keeping in mind that anyone who can reach a login prompt is entitled to unlimited attempts to guess the password of this account -- and seal that password in an envelope for "emergency" use. – Skyhawk Dec 24 '11 at 21:34
1

Shared accounts are a audit nightmare and security risk. That being said.. If you must use the same account for multiple users

Check the Group Policy for "Restrict each user to a single session setting"

Changes to remote administration in Windows Server 2008

Reconnecting to your existing physical console session is controlled by the "Restrict Terminal Services users to a single remote session" Group Policy setting, available in the Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Local Group Policy Editor. You can also configure this setting in the UI by using Terminal Services Configuration. (The Restrict each user to a single session setting appears under Edit settings, in the General section.)

p0rkjello
  • 154
  • 1