Skirting around ‘Deny Remote Desktop Access’ GPO Settings

From time to time, I’ll encounter this issue.  You’re troubleshooting an issue and need to Remotely log-on to a workstation.  You’ve effectively got the keys to the kingdom, and yet a desktop workstation GPO prevents you from logging on remotely.  Such a bummer!

Fortunately, if we know how GPO works (mostly by applying registry settings under the HKEY_Current_User\Software\Policies and HKLM:\Software\Policies trees among other places) we can work around this, assuming the appropriate levels of permission.

First, Connect to the Remote Workstation using Computer Manager.  Browse to Services and enable the Remote Registry and Remote Desktop Services.

Next, open Regedit and Connect to Remote Registry Hive or the target workstation.  Browse to HKLM:\System\CurrentControlSet\Control\Terminal Server and change the Reg_DWORD value of fDenyTSConnection to 0 (or 0x00000000 if you love hex).

You should now be able to remote desktop into the workstation.  Depending on how the policies are applied in your domain, this will only last as long as the next policy application period, however.  Normally you’ll get at least one logon out of it.

Advertisements

Have a code issue? Share your code by going to Gist.github.com and pasting your code there, then post the link here!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s