Skirting around 'Deny Remote Desktop Access' GPO Settings

Published August 23, 2013 by FoxDeploy

From time to time, I’ll encounter this issue.  You’re troubleshooting an issue and need to Remotely log-on to a workstation.  You’ve effectively got the keys to the kingdom, and yet a desktop workstation GPO prevents you from logging on remotely.  Such a bummer!

Fortunately, if we know how GPO works (mostly by applying registry settings under the HKEY\_Current\_User\Software\Policies and HKLM:\Software\Policies trees among other places) we can work around this, assuming the appropriate levels of permission.

First, Connect to the Remote Workstation using Computer Manager.  Browse to Services and enable the Remote Registry and Remote Desktop Services.

Next, open Regedit and Connect to Remote Registry Hive or the target workstation.  Browse to HKLM:\System\CurrentControlSet\Control\Terminal Server and change the Reg_DWORD value of fDenyTSConnection to 0 (or 0x00000000 if you love hex).

You should now be able to remote desktop into the workstation.  Depending on how the policies are applied in your domain, this will only last as long as the next policy application period, however.  Normally you’ll get at least one logon out of it.

Microsoft MVP

Five time Microsoft MVP, and now I work for the mothership

Need Help?

Get help much faster on our new dedicated Subreddit!

depicts a crowd of people in a night club with colored lights and says 'join the foxdeploy subrreddit today'

Blog Series
series_sml_PowerShellGUI series_sml_IntroToRaspberryPi Programming series_sml_IntroToWindows Remote Management Series The Logo for System Center Configuration Manager is displayed here Depicts a road sign saying 'Learning PowerShell Autocomplete'

Blog Stats