Disable remote desktop through CMD or script in Windows 2008

Question

I'm looking for a way to disable Remote Desktop login for Windows 2008 for a specific user (a local administrator account), either using the command line or a script (such as VBS) in Windows 2008.

I understand I need to modify the local security policy, however, I have not found a way to perform this via either cmd or a script-based solution.

Anyone have any recommendations to how to solve this?

Best Regards

Anders L.

score 3 · Answer 1 · answered Feb 29 '12 at 13:51

3

To disable remote desktop from windows command line run the below command as administrator:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

To enable remote desktop from windows command line run the following command as administrator:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

answered Feb 29 '12 at 13:51

Baxter

167
1
2
11

Nice, I forgot reg.exe came with Windows 2008 now. It didn't use to by default for previous Windows versions... – Yanick Girouard Feb 29 '12 at 14:00
Isn't that going to just turn it off though? Seems like the OP wants to deny just one specific user. – Chris_K Feb 29 '12 at 14:14

Yanick Girouard · Answer 2 · 2012-02-29T14:08:56.773

2

Create a registry file (.reg) with this in it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001

Then use regedit /s yourregfile.reg

If you want to script it better than that, use vbscript:

enable or disable rdp (remote desktop) on remote system.vbs

If you want to learn more on managing local group policies, check this Microsoft KB, it seems to cover a lot: Step-by-Step Guide to Managing Multiple Local Group Policy Objects

edited Feb 29 '12 at 14:08

answered Feb 29 '12 at 13:47

Yanick Girouard

2,385
1
18
19

Thanks for the advice, do you have any idea also how to block it for a specific local administrator? – Anders Feb 29 '12 at 13:55
Unless you're using a Domain Controller with an Active Directory and Active Directory Group Policies, you may have trouble doing that. Otherwise, just create a GPO on your AD that blocks that, and push it just to the users you want. If it's for a local account however, it's not that simple to do remotely as far as I know, but I'm not that advanced with GPO's, so maybe it's possible. – Yanick Girouard Feb 29 '12 at 13:58
No, it's a local account I'm afraid. – Anders Feb 29 '12 at 14:03
Besides, if the user is a local administrator on the system, he will be able to simply disable the policy himself unless you also restrict the use of gpedit (and any alternative software he could possibly download to edit policies). I've updated my answer with a Microsoft KB link showing how to manage local policies. You may be able to do something with that or at least learn more on the topic. – Yanick Girouard Feb 29 '12 at 14:06

score 1 · Answer 3 · answered Feb 29 '12 at 13:52

@echo off
setlocal
if {%1}=={} goto syntax
:loop
if {%1}=={} goto finish
set remote="\\%1\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
shift
reg.exe ADD %remote% /v fDenyTSConnections /t REG_DWORD /d 1 /f>nul 2>&1
if NOT %ERRORLEVEL% EQU 0 @echo %remote% NOT found.
goto loop
:syntax
@echo Syntax: RemoteDesktop Computer1 [Computer2 .... Computern]
goto loop
:finish
endlocal

Save as a bat file, the open an CMD "rdpdisabler.bat PCNAME

Anders · Accepted Answer · 2012-03-04T19:32:36.440

In the end I ended up using a solution built upon VBS (the horror) and secedit.

' Windows 2008

' Setting variables and default value.
Dim denyLine,newConfigFile,user,config,secExport,secVal,secImport
denyLine            = "None"

' Path and filename for both the exported configuration file from secedit as well
' as the modified configuration file, as well as the name of the user.
newConfigFile       = "C:\some_config.ini"
config              = "C:\some_new_config.ini"

' The Windows user previously created for this purpose.
user                = "some_user"

' secedit commands required for exporting, validating and importing the new local user policy.
secExport           = "secedit /export /cfg "&config&" /areas USER_RIGHTS"
secVal              = "secedit /validate " & newConfigFile
secImport           = "secedit /configure /db %windir%\security\user_updated.sdb /cfg "& newConfigFile &" /areas USER_RIGHTS"

' Setting up the required regular expressions.
Set deny            = New RegExp
Set rights          = New RegExp
deny.Pattern        = "^SeDenyRemoteInteractiveLogonRight"
rights.Pattern      = "^\[Privilege Rights\]$"

' Reading the configuration file, this reading object supports unicode (TriStateTrue).
Const ForReading    = 1
Const TriStateTrue  = -1
Const ForWriting    = 2

' Create the Windows shell to run the command to extract the local security policy.
Set WshShell        = WScript.CreateObject("WScript.Shell")

' Only export the section we wish to append this information within.
export              = WshShell.Run(secExport,1,vbTrue)

' Verify the return code.
if export <> 0 Then
    WScript.Quit 1
End If

' Create the file object.
Set objFSO          = CreateObject("Scripting.FileSystemObject")

' Verify that the file exist.
If (objFSO.FileExists(config)) Then
    Set objFile         = objFSO.OpenTextFile(config,ForReading,False,TriStateTrue)
    strData             = objFile.ReadAll

    ' Closing the file descriptior.
    objFile.Close

    ' Placing the content of the file into an array.
    arrLines            = Split(strData,vbCrLf)
Else
    ' Quit if the file does not exist.
    WScript.Quit 1
End If

' Open the new configuration file, where we are appending the modified/new rule.
Set filetxt         = objFSO.OpenTextFile(newConfigFile,ForWriting,TriStateTrue)

' Walking over the array looking for an already existing configuration.
For Each strLine in arrLines
    If deny.Test(strLine) Then
        denyLine = strLine
    End If
Next

' Verify if a previous configuration exists.
If denyLine <> "None" Then
    ' There is already an existing configuration, append ADDM user to this line.
    denyLine = denyLine & "," & user
Else
    ' No existing previous configuration exists, create a new line with the new user.
    denyLine = "SeDenyRemoteInteractiveLogonRight = " & user
End If

' Write changes to the new configuration file.
For Each strLine in arrLines
    ' Make sure the line has content.
    if len(strLine) <> 0 Then
        ' Do not write the old configuration, look for everything except that line.
        if NOT deny.Test(strLine) Then
            'If we find the line line [Privilege Rights] append our modified line after.
            if rights.Test(strLine) Then
                filetxt.WriteLine(strLine)
                filetxt.WriteLine(denyLine)
            ' Otherwise keep writing everything else as normal.
            else
                filetxt.WriteLine(strLine)
            End If
        End If
    End If
Next

' Close the file descriptor.
filetxt.Close

' Validate the syntax in the new config file.
validate              = WshShell.Run(secVal,1,vbTrue)

' Verify the return code.
if validate <> 0 Then
    WScript.Quit 1
End If

import                = WshShell.Run(secImport,1,vbTrue)

' Verify the return code.
if import <> 0 Then
    WScript.Quit 1
End If

WScript.Quit 0

@jscott, Please view update. To the rest, I'm sure the code can be improved, however, view this as a POF not as a final version. I understand this really should be properly handle through a GPO, however, that was not possible within this context. — Anders, Mar 04 '12 at 19:34
Thanks! The edits make your contribution valuable to the community. — jscott, Mar 04 '12 at 23:07

Disable remote desktop through CMD or script in Windows 2008

4 Answers4