if I remember correctly, even Administrators lose some privilege when coming in via remote desktop (vs local logon). Also that that can be changed somewhere in local policy. But I can't find it. I'm hoping someone here remembers and can point me to the right place to change that.
thx
I have to admit I have difficulties to understand what you mean? What kind of privileges should admins lose when using remote desktop connection?
When you connect to a remote host you have to give credentials for a user account that exists on that remote host and you of course have the exactly same rights and privileges as if you were using that computer locally with the same user account, regardless of what kind of user account, admin or standard you have on your remote client (the computer you use to connect to remote host).
An example:
- PC-1, only two user accounts exist:
- Admin user ALMIGHTY
- Standard user NIXCANDO
- PC-2, only two user accounts exist:
- Admin user THEKING
- Standard user JUSTASERF
- You are using PC-1, logged in as standard user NIXCANDO
- You want to use PC-1 to connect to PC-2 (in other words, PC-1 is your remote client and PC-2 is your remote host)
- You cannot log in to PC-2 over RDC using accounts ALMIGHTY and NIXCANDO because although they exist on your remote client, they do not exist on remote host
- If you connect using JUSTASERF's credentials to connect to remote host, a user account that does not even exist on your remote client, you will of course have the JUSTASERF's standard user rights on remote host
- If you connect using THEKING's credentials to connect to remote host you will of course have the THEKING's admin user rights on remote host
The above put short: When using Remote Desktop Connection to connect to a remote host, you will have full local administrator rights if you connect using an existing admin account of the remote host.
Kari
i'm pretty sure that connecting via remote desktop lowers your privileges (connecting using the local machine id/pwd). so for example I think you can't connect to C$. I kind of remember some registry entry that disabled that.
That is not true.
You can use your local machine's (remote client) user credentials (username and password) only if a user account exists on the remote computer (remote host) with exactly same credentials. There is absolutely, completely no chance to sign in to a remote computer with credentials that do not exist there.
I repeat what I told in my first post in this thread: If you log in to remote computer using a standard account, you will get standard user privileges. If you log in to remote computer using an admin account, you get admin privileges.
Last edited by Kari; 06 Feb 2015 at 13:03.
That's what I meant. I guess bad context on my part. By local, I meant local to the remote machine.
I finally found it. It was not access via RemoteDesktop. It was running a command like shutdown -s -m <remotemachine> against a remote computer and getting an access denied because of reduced privileges.
The answer was to add LocalAccountTokenFilterPolicy = 1
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
for a more complete explanation - How to Remotely Shutdown or Restart a Windows Computer
Quote