dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
438
share rss forum feed


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

1 edit

Confusion with Microsoft instruction on RD

»support.microsoft.com/kb/306300

How to disable Remote Desktop by using Group Policy

To use the computer's local group policy to disable Remote Desktop:

Click Start, click Run, type gpedit.msc, and then click OK.
In the Group Policy editor, click to expand Computer Configuration, click to expand Administrative Templates, click to expand Windows Components, and then click to expand Terminal Services.
Double-click the Allow users to connect remotely using Terminal Services policy.
Set the policy to Enabled, and then click OK.


huh?

doesn't that enable remote desktop?


b_p_smith

join:2002-02-13
Merrickville, ON

Yes, that's my read too. Some of the GPO settings are a bit confusing, because in many you "enable" the policy, which then opens up some options. So in some cases you need to enable the policy, in order to disable a setting.
But since this one has no settings, you want to actually disable the policy.
--
Xplornet WiMAX -} Buffalo WZR-HP-G300NH running DD-WRT -} about 13 machines running everything you can think of.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 edits
reply to Cartel

FWIW, that's an XP article, and your last remote desktop question said Win7. That template does not seem to exist on Win7.

I RDP'd into an XP system, ran gpedit there, and the "allow users to connect remotely" template appeared where expected, in a state of "not configured".

The "explain" dialogue for the template says, in brief:

Specifies whether to allow users to connect remotely using Terminal Services.

Enabled: can log in to remote target computers.
Disabled: cannot log in (but existing sessions not affected).
Not configured: uses "allow users to connect to your computer" option on the target computer to determine whether connection is allowed.

So, yeah, the KB article is incorrectly worded. But this setting appears to be for *outgoing* connections, is that what you expected?

FWIW, the "enabled" description must be a lie. Sanity dictates that the local setting cannot override the remote setting: i.e., you can't force my computer to let you log in remotely if I don't want to allow it.



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

I was googling for answers about RD and this article just didn't make sense to me.
I know its for XP and not Win7 but I just thought, "could M$ be this stupid?"

I guess the answer is yes.


Oedipus

join:2005-05-09
kudos:1
reply to Cartel

Why are you disabling it through gpedit? I can understand doing it through gpmc if it's a setting you're deploying, but why not just disable it through computer properties?



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

said by Oedipus:

Why are you disabling it through gpedit? I can understand doing it through gpmc if it's a setting you're deploying, but why not just disable it through computer properties?

because I want it disabled, and never be able to run, ever.

Shootist
Premium
join:2003-02-10
Decatur, GA
kudos:3

said by Cartel:

said by Oedipus:

Why are you disabling it through gpedit? I can understand doing it through gpmc if it's a setting you're deploying, but why not just disable it through computer properties?

because I want it disabled, and never be able to run, ever.

Why bother? If you do not have your router set to forward the correct port for RD to your computers IP then no one can ever connect. Also you can change the listening port RD uses to some other then the default. That will stop even other local LAN computers from making a RD connection to your computer, unless they know the port # you are using.

Then again if you want to stop others that use your computer from making outgoing RD connections you can remove the client or set Admin permissions on it so it needs a password to run.
--
Shooter Ready--Stand By BEEP ********

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Cartel

said by Cartel:

Why are you disabling it because I want it disabled, and never be able to run, ever.

Yeah, that's what the supported UI is for, on the system property sheet. See above.

gpedit isn't somehow 'better', it's the same setting, which is surely some registry value somewhere.


Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
kudos:2
reply to Cartel

I limit RDP connections explicitly to specific users (not groups) on a PC. If no users are allowed, then no connections can be made other than to get a deny message after entering the user name and password. To do this go to secpol.msc-- local policies/user rights assignment/allow log on through Remote Desktop Services. If you want to be thorough, remove all users there and turn it off like it is designed to be turned off. No one is going to make a connection. If accidentally or intentionally someone turns it on, the security policy will disallow any connections from being completed.



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2

My point is the KB article is wrong and does not disable, but enables RD


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

You are correct, but don't sweat it. Sometimes documentation is incorrect. At least in this case it was obviously wrong.

More to the point, though: if I understand your problem, it is preventing RDP connections to your machine, and that article is mostly about preventing RDP connections from your machine, thus is irrelevant to the situation. It's part of the generally-confused nature of that page that such a thing is not explicitly stated.

For the record, it's not some monolithic "Microsoft" that did this. A tech writer made a mistake and a tech reviewer was lazy. It happens.