Enable RDP console connections for non-administrative users

When using Microsoft’s RDP protocol, you may have come across the “console” connection. This is a connection usually used for administrative purposes and is therefore restricted to administrative users. Accessing the console is usually done by specifying /admin either after the server name, or at the command line when launching mstsc.

Normally, to allow users to access an RDP session, a user must be in the local Remote Desktop Users group… and if you want to use the console connection, a user must be in the local Administrators group… but what if you have a requirement to allow a user to use a console connection without the security implications of adding them to the Administrators group?

I had an unusual scenario where we host a Remote Desktop Services Farm, however a very small select number of users were only able to connect to one server due to some networking rules and restrictions. As the server is a farm member, the broker disallows direct connections unless you use a console connection. Obviously we don’t want to allow end-users to have administrative access, so we wanted to avoid adding the users to the Administrators group.

This can be achieved by adding the users or a group to the Console connection’s ACL, but for security reasons, there is no GUI method of doing this. You can grant access to the RDP-Tcp connection via the Remote Desktop Session Host Configuration tool, however the Console must be done via Windows Management Instrumentation (WMI).

This should work for all modern versions of Windows Server, however I have only tested this on Windows Server 2008 R2.

To do this, launch a Command Prompt with administrative privileges and enter the following command:

wmic /namespace:\\root\cimv2\TerminalServices PATH WIN32_TSPermissionsSetting.TerminalName="Console" call AddAccount "Domain\User",X

Replace “Domain\User” with your user account or group name.
Replace X with a permission level as follows:

0 = WINSTATION_GUEST_ACCESS
1 = WINSTATION_USER_ACCESS
2 = WINSTATION_ALL_ACCESS

Hit Enter to execute the command. If successful, you should get the following output:

Executing (\\COMPUTERNAME\root\cimv2\TerminalServices:Win32_TSPermissionsSetting.TerminalName="Console")->AddAccount()
Method execution successful.
Out Parameters:
instance of ___PARAMETERS
{
ReturnValue = 0;
};

In the example below, I have created a local group called RDP Admin Users and granted it access level 2

Once this has been executed, users that are a member of this group should now be able to create a console connection over RDP.

2 thoughts on “Enable RDP console connections for non-administrative users

  1. Hi, well in windows 2016, it doesn t work sadly. getting back a invalid verb switch. it was really what i needed, allowing a regular user to use console mode on a rds farm without being admin :(.

    1. Hi,
      Sorry to hear this isn’t working for you! The servers I had performed this on were Windows 2008 R2 I believe, I can’t say I’ve tested this on anything newer.

      Invalid Verb is an error that usually comes from PowerShell I believe, was this executed in a PowerShell window? If so, it may be worth trying cmd in case there is some strange character substitution going on with the PowerShell console.

      Otherwise, do you have a screenshot of the full command line & the error that occurs? I could take a look to see if there is anything obvious that might be wrong

      Thanks,
      Mike

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: