Restricted Admin Mode for Remote Desktop Connection

This post provides a comprehensive guide on Restricted Admin mode for Remote Desktop Connection. If you're interested in learning more about this concept, continue reading the following content.

Ellie

By Ellie / Updated on October 24, 2024

Share this: instagram reddit

What is Restricted Admin mode?

When administrators establish a remote connection to a computer via RDP, their credentials are typically saved on the remote system. This poses a security risk if the system is compromised.

Restricted Admin mode is a security feature introduced in Windows Server 2012 R2 and Windows 8.1 for secure remote access. It allows an administrator to connect to a remote computer without exposing their credentials to the remote host. Essentially, it mitigates the risk of credential theft during remote desktop sessions.

When an administrator initiates a remote desktop connection using Restricted Admin mode, the credentials are not sent to the remote computer. Instead, a unique session is created on the remote computer with a temporary set of credentials. This temporary session operates within the security context of the local computer, ensuring that the administrator's credentials remain protected.

Restricted Admin Mode

2 ways to enable Restricted Admin mode for Remote Desktop Connection

By default, Restricted Admin mode is turned off and needs to be specifically enabled on the target server through Group Policy or the Windows Registry setting. Follow the detailed steps below to enable Restricted Admin mode for Remote Desktop Connection.

Way 1. Enable Restricted Admin mode using the Group Policy

Step 1. To launch the Local Group Policy Editor, begin by opening the Run dialog box and typing "gpedit.msc", then press “Enter”.

Run Box gpedit.msc

Step 2. Proceed to navigate to Computer Configuration > Administrative Templates > System > Credential Delegation.

Credentials Delegations

Step 3. Within this section, enable the option labeled "Restrict Delegation of credentials to remote servers".

Enable Delegation of Credentials

Step 4. It's important to note that a system reboot is unnecessary for these settings to take effect.

Way 2. Enable Restricted Admin mode via the Windows Registry

Step 1. To access the Registry Editor, first, open the Run dialog box by pressing the "Windows" key + "R", then type "regedit" and press “Enter”.

Run Box regedit

Step 2. Navigate to the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.

Lsa

Step 3. Right-click to add a new Registry Key with the type “REG_DWORD”.

New DisableRestrictedAdmin Key

Step 4. Name the new key “DisableRestrictedAdmin” and set the value to “0”.

DisableRestrictedAdmin

Step 5. It's worth noting that a system reboot is unnecessary for these settings to be applied.

How to connect to a remote server using the Restricted Admin mode

After configuring Restricted Admin mode for RDP via the registry or GPO, you can connect to the remote RDP server using the command line or run command. To enable Restricted Admin mode, add an extra parameter to the Remote Desktop client application in the command line as shown below.

To connect to a remote Windows device using Restricted Admin mode, open a command prompt, type "mstsc /restrictedadmin", and press "Enter". Once the Remote Desktop Connection app opens, proceed with the connection as usual.

Run RDP in Restricted Admin Mode

Bonus tip: Secure remote desktop connections with AnyViewer

Secure remote desktop connections don’t have to be so complicated. AnyViewer is the free remote desktop software prioritizing security and includes features such as:

  • Asymmetric ECC 256-bit end-to-end encryption to protect remote desktop connections. While it may not have a feature with the same name as "Restricted Admin mode," it employs various security measures to ensure the confidentiality and integrity of remote sessions.
  • AnyViewer’s two-factor authentication adds an extra layer of security to the authentication process. Users can enable 2FA to require a second form of verification, such as a one-time password sent to their mobile device, in addition to their regular login credentials.
  • AnyViewer has a role permission management feature. On the account web page, administrators can create sub-account role groups for employees at various levels and assign specific permissions to each group. This feature is particularly useful in scenarios where you need to restrict sub-accounts under different roles to access and operate only certain functions, thereby preventing unauthorized access and potential data breaches. The feature is exclusive to AnyViewer Enterprise Edition, please upgrade your account after registering.
Download Freeware Win PCs & Servers
Secure Download

Here's how to create sub-account role groups and assign specific permissions: 

Step 1. Go to the AnyViewer user information page. Click User Management > Role Permission to create a new role.

Create New Role

Step 2. In this Role permission page, click Edit permission settings.

Modify Role Name

Step 3. The following shows the permissions you can set.

Permission Setting

★Tips:
The AnyViewer Enterprise Edition offers more features such as unlimited concurrent remote sessions, Mass Deployment (MSI), creating groups for computers, etc.

The bottom line

In conclusion, Restricted Admin mode for Remote Desktop Connection is a crucial security feature introduced in Windows Server 2012 R2 and Windows 8.1 to mitigate the risk of credential theft during remote desktop sessions. This guide has provided comprehensive steps to enable Restricted Admin mode using Group Policy or the Windows Registry, ensuring that administrators can connect to remote computers without exposing their credentials.

Additionally, for enhanced security, consider utilizing AnyViewer, the safest way to remote access a PC that prioritizes security with features like two-factor authentication and role permission management. By implementing these measures, remote desktop connections can be made more secure and resistant to unauthorized access and potential data breaches.