Guest amos Posted July 19, 2008 Posted July 19, 2008 Many of our offsite users have saved Remote Desktop Connection (.rdp) files saved with the password. Is there any way to have TS 2003 reject that kind of login, and ask for it to be manually typed in?
Guest Vera Noest [MVP] Posted July 19, 2008 Posted July 19, 2008 Re: Any way to force users to log in manually? Yes. 839918 - Hotfix that lets you control whether a user can save a password for Remote Desktop Connection sessions to a terminal server in Windows XP or in Windows 2000 http://support.microsoft.com/?kbid=839918 _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ amos <amos@amos2.com> wrote on 19 jul 2008 in microsoft.public.windows.terminal_services: > Many of our offsite users have saved Remote Desktop Connection > (.rdp) files saved with the password. Is there any way to have > TS 2003 reject that kind of login, and ask for it to be manually > typed in?
Guest Jeff Pitsch Posted July 20, 2008 Posted July 20, 2008 Re: Any way to force users to log in manually? There is a gpo as well that youc an set that forces prompt for password. Jeff Pitsch Microsoft MVP - Terminal Services "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16... > Yes. > > 839918 - Hotfix that lets you control whether a user can save a > password for Remote Desktop Connection sessions to a terminal server > in Windows XP or in Windows 2000 > http://support.microsoft.com/?kbid=839918 > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > amos <amos@amos2.com> wrote on 19 jul 2008 in > microsoft.public.windows.terminal_services: > >> Many of our offsite users have saved Remote Desktop Connection >> (.rdp) files saved with the password. Is there any way to have >> TS 2003 reject that kind of login, and ask for it to be manually >> typed in?
Guest Vera Noest [MVP] Posted July 20, 2008 Posted July 20, 2008 Re: Any way to force users to log in manually? Eeeeh, that's exactly what is documented in the KB article... _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 20 jul 2008 in microsoft.public.windows.terminal_services: > There is a gpo as well that youc an set that forces prompt for > password. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote > in message > news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16... >> Yes. >> >> 839918 - Hotfix that lets you control whether a user can save a >> password for Remote Desktop Connection sessions to a terminal >> server in Windows XP or in Windows 2000 >> http://support.microsoft.com/?kbid=839918 >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> amos <amos@amos2.com> wrote on 19 jul 2008 in >> microsoft.public.windows.terminal_services: >> >>> Many of our offsite users have saved Remote Desktop Connection >>> (.rdp) files saved with the password. Is there any way to have >>> TS 2003 reject that kind of login, and ask for it to be >>> manually typed in?
Guest amos Posted July 20, 2008 Posted July 20, 2008 Re: Any way to force users to log in manually? OK, I've read that and somehow remain unsure about what it means. It's a server setting that knows enough to diregard the 'save password' checkbox in the rdc dialog? Remember these are not AD users on a corporate lan, these are users who are not part of the server domain. I am pretty sure that you both understood what I was requesting, but I'd just like to be positive that a user from 'outside' connecting via cisco vpn who has 'save password' check on their connection, would be forced to manually log in despite that 'save password' checkbox? Thanks for you help In article <Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16>, vera.noest@remove-this.hem.utfors.se says... > Yes. > > 839918 - Hotfix that lets you control whether a user can save a > password for Remote Desktop Connection sessions to a terminal server > in Windows XP or in Windows 2000 > http://support.microsoft.com/?kbid=839918 > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > amos <amos@amos2.com> wrote on 19 jul 2008 in > microsoft.public.windows.terminal_services: > > > Many of our offsite users have saved Remote Desktop Connection > > (.rdp) files saved with the password. Is there any way to have > > TS 2003 reject that kind of login, and ask for it to be manually > > typed in? >
Guest Vera Noest [MVP] Posted July 20, 2008 Posted July 20, 2008 Re: Any way to force users to log in manually? No, that was not clear from your first post. The users or the clients must belong to your domain, otherwise the GPO won't be applied to them. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ amos <amos@amos2.com> wrote on 20 jul 2008 in microsoft.public.windows.terminal_services: > OK, I've read that and somehow remain unsure about what it > means. It's a server setting that knows enough to diregard the > 'save password' checkbox in the rdc dialog? Remember these are > not AD users on a corporate lan, these are users who are not > part of the server domain. I am pretty sure that you both > understood what I was requesting, but I'd just like to be > positive that a user from 'outside' connecting via cisco vpn who > has 'save password' check on their connection, would be forced > to manually log in despite that 'save password' checkbox? > > Thanks for you help > > In article <Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16>, > vera.noest@remove-this.hem.utfors.se says... >> Yes. >> >> 839918 - Hotfix that lets you control whether a user can save a >> password for Remote Desktop Connection sessions to a terminal >> server in Windows XP or in Windows 2000 >> http://support.microsoft.com/?kbid=839918 >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> amos <amos@amos2.com> wrote on 19 jul 2008 in >> microsoft.public.windows.terminal_services: >> >> > Many of our offsite users have saved Remote Desktop >> > Connection (.rdp) files saved with the password. Is there any >> > way to have TS 2003 reject that kind of login, and ask for it >> > to be manually typed in?
Guest amos Posted July 20, 2008 Posted July 20, 2008 Re: Any way to force users to log in manually? In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>, vera.noest@remove-this.hem.utfors.se says... > No, that was not clear from your first post. The users or the > clients must belong to your domain, otherwise the GPO won't be > applied to them. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > OK, then is there any way to force 'external' users to have to manually enter a password?
Guest Vera Noest [MVP] Posted July 21, 2008 Posted July 21, 2008 Re: Any way to force users to log in manually? amos <amos@amos2.com> wrote on 20 jul 2008: > In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>, > vera.noest@remove-this.hem.utfors.se says... >> No, that was not clear from your first post. The users or the >> clients must belong to your domain, otherwise the GPO won't be >> applied to them. >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> > OK, then is there any way to force 'external' users to have to > manually enter a password? If you don't have any control over the user accounts or the clients, no, I don't think so. Not without an additional logon requirement, like smart cards or something like that. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------*
Guest Jeff Pitsch Posted July 21, 2008 Posted July 21, 2008 Re: Any way to force users to log in manually? Oh sure, now I"m expectd to read the articeles lol j/k Vera. I should've read that article better. I thought the article was talking about a hotfix to put on the XP machines. Jeff Pitsch Microsoft MVP - Terminal Services "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message news:Xns9AE17A6BD1F4Cveranoesthemutforsse@207.46.248.16... > Eeeeh, that's exactly what is documented in the KB article... > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 20 jul 2008 > in microsoft.public.windows.terminal_services: > >> There is a gpo as well that youc an set that forces prompt for >> password. >> >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> >> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote >> in message >> news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16... >>> Yes. >>> >>> 839918 - Hotfix that lets you control whether a user can save a >>> password for Remote Desktop Connection sessions to a terminal >>> server in Windows XP or in Windows 2000 >>> http://support.microsoft.com/?kbid=839918 >>> >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> ___ please respond in newsgroup, NOT by private email ___ >>> >>> amos <amos@amos2.com> wrote on 19 jul 2008 in >>> microsoft.public.windows.terminal_services: >>> >>>> Many of our offsite users have saved Remote Desktop Connection >>>> (.rdp) files saved with the password. Is there any way to have >>>> TS 2003 reject that kind of login, and ask for it to be >>>> manually typed in?
Guest Jeff Pitsch Posted July 21, 2008 Posted July 21, 2008 Re: Any way to force users to log in manually? The GPO is a computer setting not a user setting. Therefore it doesn't matter if the users are part of the domain or not. The GPO will work fine. Jeff Pitsch Microsoft MVP - Terminal Services "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16... > amos <amos@amos2.com> wrote on 20 jul 2008: > >> In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>, >> vera.noest@remove-this.hem.utfors.se says... >>> No, that was not clear from your first post. The users or the >>> clients must belong to your domain, otherwise the GPO won't be >>> applied to them. >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> >> OK, then is there any way to force 'external' users to have to >> manually enter a password? > > If you don't have any control over the user accounts or the > clients, no, I don't think so. Not without an additional logon > requirement, like smart cards or something like that. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------*
Guest Vera Noest [MVP] Posted July 21, 2008 Posted July 21, 2008 Re: Any way to force users to log in manually? But as I understand it now, neither the users nor the clients are part of the domain. Then I don't see how it can be done. Or am I missing something? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 21 jul 2008 in microsoft.public.windows.terminal_services: > The GPO is a computer setting not a user setting. Therefore it > doesn't matter if the users are part of the domain or not. The > GPO will work fine. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote > in message > news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16... >> amos <amos@amos2.com> wrote on 20 jul 2008: >> >>> In article >>> <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>, >>> vera.noest@remove-this.hem.utfors.se says... >>>> No, that was not clear from your first post. The users or the >>>> clients must belong to your domain, otherwise the GPO won't >>>> be applied to them. >>>> _________________________________________________________ >>>> Vera Noest >>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>> TS troubleshooting: http://ts.veranoest.net >>>> >>> OK, then is there any way to force 'external' users to have to >>> manually enter a password? >> >> If you don't have any control over the user accounts or the >> clients, no, I don't think so. Not without an additional logon >> requirement, like smart cards or something like that. >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> *----------- Please reply in newsgroup -------------*
Guest amos Posted July 21, 2008 Posted July 21, 2008 Re: Any way to force users to log in manually? Yes, sorry for the original post being less than lucid. I thought I had laid it all out but it was pretty skimpy on my situation. For my particular situation it's true, the users are widely dispersed, many will be operating out of home offices, and not part of any lan or domain. It'd be very cool if the gpo setting did result in any and all requests for an rd connection to need manual password entry, so it'll be interesting to see what the upshot is. I may be able to experiment with the server in question, but that'd not be my first choice.
Guest TP Posted July 22, 2008 Posted July 22, 2008 Re: Any way to force users to log in manually? Hi, On the server: 1. Open Terminal Services Configuration (tscc.msc) 2. Right-click RDP-Tcp and choose Properties 3. On the Logon Settings tab, choose "Always use the following logon information" 4. Leave the User name field blank 5. If the server is joined to a domain and you would like the logon screen to default to the domain, enter the domain name in the Domain field 6. Check "Always prompt for password" 7. Click the OK button Now your server will prompt for user name and password when users connect via RDP, regardless of their client settings. Thanks. -TP amos wrote: > Many of our offsite users have saved Remote Desktop Connection (.rdp) > files saved with the password. Is there any way to have TS 2003 reject > that kind of login, and ask for it to be manually typed in?
Guest TP Posted July 22, 2008 Posted July 22, 2008 Re: Any way to force users to log in manually? Hi Vera, That hotfix allows you to control whether users are able to save passwords in an .rdp file. This is a useful feature for security purposes on client PCs, but does not affect how the server will respond if a RDP client presents saved credentials. What is needed is to change the setting on the server. There is a brilliant individual that maintains an FAQ on such matters, you may want to take a look: http://tinyurl.com/63s5o8 Thanks. -TP Vera Noest [MVP] wrote: > Yes. > > 839918 - Hotfix that lets you control whether a user can save a > password for Remote Desktop Connection sessions to a terminal server > in Windows XP or in Windows 2000 > http://support.microsoft.com/?kbid=839918 > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___
Guest Vera Noest [MVP] Posted July 22, 2008 Posted July 22, 2008 Re: Any way to force users to log in manually? Aaaah, I see. I was thinking about the client side of things only. Thanks, TP! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "TP" <tperson.knowspamn@mailandnews.com> wrote on 22 jul 2008 in microsoft.public.windows.terminal_services: > Hi Vera, > > That hotfix allows you to control whether users are able to save > passwords in an .rdp file. This is a useful feature for > security purposes on client PCs, but does not affect how the > server will respond if a RDP client presents saved credentials. > > What is needed is to change the setting on the server. > > There is a brilliant individual that maintains an FAQ on such > matters, you may want to take a look: > > http://tinyurl.com/63s5o8 > > Thanks. > > -TP > > Vera Noest [MVP] wrote: >> Yes. >> >> 839918 - Hotfix that lets you control whether a user can save a >> password for Remote Desktop Connection sessions to a terminal >> server in Windows XP or in Windows 2000 >> http://support.microsoft.com/?kbid=839918
Guest Vera Noest [MVP] Posted July 22, 2008 Posted July 22, 2008 Re: Any way to force users to log in manually? "TP" <tperson.knowspamn@mailandnews.com> wrote on 22 jul 2008 in microsoft.public.windows.terminal_services: > There is a brilliant individual that maintains an FAQ on such > matters, you may want to take a look: > > http://tinyurl.com/63s5o8 LOL :D _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___
Guest amos Posted July 22, 2008 Posted July 22, 2008 Re: Any way to force users to log in manually? In article <ecNh0MA7IHA.5820@TK2MSFTNGP04.phx.gbl>, tperson.knowspamn@mailandnews.com says... > Hi, > > On the server: > > 1. Open Terminal Services Configuration (tscc.msc) > 2. Right-click RDP-Tcp and choose Properties > 3. On the Logon Settings tab, choose "Always use the following logon information" > 4. Leave the User name field blank > 5. If the server is joined to a domain and you would like the logon screen to > default to the domain, enter the domain name in the Domain field > 6. Check "Always prompt for password" > 7. Click the OK button > > Now your server will prompt for user name and password when users > connect via RDP, regardless of their client settings. > > Thanks. > > -TP That's almost perfect. The only issue with this approach is that the user has to enter their login as well as the password. But, pretty workable. Thank you.
Guest Jeff Pitsch Posted July 23, 2008 Posted July 23, 2008 Re: Any way to force users to log in manually? You apply the setting to the Terminal Server not the end points. Jeff Pitsch Microsoft MVP - Terminal Services "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message news:Xns9AE2DF67FD4F8veranoesthemutforsse@207.46.248.16... > But as I understand it now, neither the users nor the clients are > part of the domain. Then I don't see how it can be done. Or am I > missing something? > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 21 jul 2008 > in microsoft.public.windows.terminal_services: > >> The GPO is a computer setting not a user setting. Therefore it >> doesn't matter if the users are part of the domain or not. The >> GPO will work fine. >> >> Jeff Pitsch >> Microsoft MVP - Terminal Services >> >> >> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote >> in message >> news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16... >>> amos <amos@amos2.com> wrote on 20 jul 2008: >>> >>>> In article >>>> <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>, >>>> vera.noest@remove-this.hem.utfors.se says... >>>>> No, that was not clear from your first post. The users or the >>>>> clients must belong to your domain, otherwise the GPO won't >>>>> be applied to them. >>>>> _________________________________________________________ >>>>> Vera Noest >>>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>>> TS troubleshooting: http://ts.veranoest.net >>>>> >>>> OK, then is there any way to force 'external' users to have to >>>> manually enter a password? >>> >>> If you don't have any control over the user accounts or the >>> clients, no, I don't think so. Not without an additional logon >>> requirement, like smart cards or something like that. >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> *----------- Please reply in newsgroup -------------*
Recommended Posts