Any way to force users to log in manually?

amos · Jul 19, 2008

Many of our offsite users have saved Remote Desktop Connection (.rdp)
files saved with the password. Is there any way to have TS 2003 reject
that kind of login, and ask for it to be manually typed in?

Vera Noest [MVP] · Jul 19, 2008

Re: Any way to force users to log in manually?

Yes.

839918 - Hotfix that lets you control whether a user can save a
password for Remote Desktop Connection sessions to a terminal server
in Windows XP or in Windows 2000
http://support.microsoft.com/?kbid=839918

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

amos <amos@amos2.com> wrote on 19 jul 2008 in
microsoft.public.windows.terminal_services:

> Many of our offsite users have saved Remote Desktop Connection
> (.rdp) files saved with the password. Is there any way to have
> TS 2003 reject that kind of login, and ask for it to be manually
> typed in?

Jeff Pitsch · Jul 19, 2008

Re: Any way to force users to log in manually?

There is a gpo as well that youc an set that forces prompt for password.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16...
> Yes.
>
> 839918 - Hotfix that lets you control whether a user can save a
> password for Remote Desktop Connection sessions to a terminal server
> in Windows XP or in Windows 2000
> http://support.microsoft.com/?kbid=839918
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> amos <amos@amos2.com> wrote on 19 jul 2008 in
> microsoft.public.windows.terminal_services:
>
>> Many of our offsite users have saved Remote Desktop Connection
>> (.rdp) files saved with the password. Is there any way to have
>> TS 2003 reject that kind of login, and ask for it to be manually
>> typed in?

Vera Noest [MVP] · Jul 20, 2008

Re: Any way to force users to log in manually?

Eeeeh, that's exactly what is documented in the KB article...

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 20 jul 2008
in microsoft.public.windows.terminal_services:

> There is a gpo as well that youc an set that forces prompt for
> password.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16...
>> Yes.
>>
>> 839918 - Hotfix that lets you control whether a user can save a
>> password for Remote Desktop Connection sessions to a terminal
>> server in Windows XP or in Windows 2000
>> http://support.microsoft.com/?kbid=839918
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> amos <amos@amos2.com> wrote on 19 jul 2008 in
>> microsoft.public.windows.terminal_services:
>>
>>> Many of our offsite users have saved Remote Desktop Connection
>>> (.rdp) files saved with the password. Is there any way to have
>>> TS 2003 reject that kind of login, and ask for it to be
>>> manually typed in?

amos · Jul 20, 2008

Re: Any way to force users to log in manually?

OK, I've read that and somehow remain unsure about what it means. It's a
server setting that knows enough to diregard the 'save password'
checkbox in the rdc dialog? Remember these are not AD users on a
corporate lan, these are users who are not part of the server domain. I
am pretty sure that you both understood what I was requesting, but I'd
just like to be positive that a user from 'outside' connecting via cisco
vpn who has 'save password' check on their connection, would be forced
to manually log in despite that 'save password' checkbox?

Thanks for you help

In article <Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16>,
vera.noest@remove-this.hem.utfors.se says...
> Yes.
>
> 839918 - Hotfix that lets you control whether a user can save a
> password for Remote Desktop Connection sessions to a terminal server
> in Windows XP or in Windows 2000
> http://support.microsoft.com/?kbid=839918
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> amos <amos@amos2.com> wrote on 19 jul 2008 in
> microsoft.public.windows.terminal_services:
>
> > Many of our offsite users have saved Remote Desktop Connection
> > (.rdp) files saved with the password. Is there any way to have
> > TS 2003 reject that kind of login, and ask for it to be manually
> > typed in?
>

Vera Noest [MVP] · Jul 20, 2008

Re: Any way to force users to log in manually?

No, that was not clear from your first post. The users or the
clients must belong to your domain, otherwise the GPO won't be
applied to them.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

amos <amos@amos2.com> wrote on 20 jul 2008 in
microsoft.public.windows.terminal_services:

> OK, I've read that and somehow remain unsure about what it
> means. It's a server setting that knows enough to diregard the
> 'save password' checkbox in the rdc dialog? Remember these are
> not AD users on a corporate lan, these are users who are not
> part of the server domain. I am pretty sure that you both
> understood what I was requesting, but I'd just like to be
> positive that a user from 'outside' connecting via cisco vpn who
> has 'save password' check on their connection, would be forced
> to manually log in despite that 'save password' checkbox?
>
> Thanks for you help
>
> In article <Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16>,
> vera.noest@remove-this.hem.utfors.se says...
>> Yes.
>>
>> 839918 - Hotfix that lets you control whether a user can save a
>> password for Remote Desktop Connection sessions to a terminal
>> server in Windows XP or in Windows 2000
>> http://support.microsoft.com/?kbid=839918
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> amos <amos@amos2.com> wrote on 19 jul 2008 in
>> microsoft.public.windows.terminal_services:
>>
>> > Many of our offsite users have saved Remote Desktop
>> > Connection (.rdp) files saved with the password. Is there any
>> > way to have TS 2003 reject that kind of login, and ask for it
>> > to be manually typed in?

amos · Jul 20, 2008

Re: Any way to force users to log in manually?

In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>,
vera.noest@remove-this.hem.utfors.se says...
> No, that was not clear from your first post. The users or the
> clients must belong to your domain, otherwise the GPO won't be
> applied to them.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
>
OK, then is there any way to force 'external' users to have to manually
enter a password?

Vera Noest [MVP] · Jul 21, 2008

Re: Any way to force users to log in manually?

amos <amos@amos2.com> wrote on 20 jul 2008:

> In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>,
> vera.noest@remove-this.hem.utfors.se says...
>> No, that was not clear from your first post. The users or the
>> clients must belong to your domain, otherwise the GPO won't be
>> applied to them.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>>
> OK, then is there any way to force 'external' users to have to
> manually enter a password?

If you don't have any control over the user accounts or the
clients, no, I don't think so. Not without an additional logon
requirement, like smart cards or something like that.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

Jeff Pitsch · Jul 21, 2008

Re: Any way to force users to log in manually?

Oh sure, now I"m expectd to read the articeles lol j/k Vera. I should've
read that article better. I thought the article was talking about a hotfix
to put on the XP machines.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE17A6BD1F4Cveranoesthemutforsse@207.46.248.16...
> Eeeeh, that's exactly what is documented in the KB article...
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 20 jul 2008
> in microsoft.public.windows.terminal_services:
>
>> There is a gpo as well that youc an set that forces prompt for
>> password.
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9AE0EB6773F2Everanoesthemutforsse@207.46.248.16...
>>> Yes.
>>>
>>> 839918 - Hotfix that lets you control whether a user can save a
>>> password for Remote Desktop Connection sessions to a terminal
>>> server in Windows XP or in Windows 2000
>>> http://support.microsoft.com/?kbid=839918
>>>
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> ___ please respond in newsgroup, NOT by private email ___
>>>
>>> amos <amos@amos2.com> wrote on 19 jul 2008 in
>>> microsoft.public.windows.terminal_services:
>>>
>>>> Many of our offsite users have saved Remote Desktop Connection
>>>> (.rdp) files saved with the password. Is there any way to have
>>>> TS 2003 reject that kind of login, and ask for it to be
>>>> manually typed in?

Jeff Pitsch · Jul 21, 2008

Re: Any way to force users to log in manually?

The GPO is a computer setting not a user setting. Therefore it doesn't
matter if the users are part of the domain or not. The GPO will work fine.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16...
> amos <amos@amos2.com> wrote on 20 jul 2008:
>
>> In article <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>,
>> vera.noest@remove-this.hem.utfors.se says...
>>> No, that was not clear from your first post. The users or the
>>> clients must belong to your domain, otherwise the GPO won't be
>>> applied to them.
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>>
>> OK, then is there any way to force 'external' users to have to
>> manually enter a password?
>
> If you don't have any control over the user accounts or the
> clients, no, I don't think so. Not without an additional logon
> requirement, like smart cards or something like that.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*

Vera Noest [MVP] · Jul 21, 2008

Re: Any way to force users to log in manually?

But as I understand it now, neither the users nor the clients are
part of the domain. Then I don't see how it can be done. Or am I
missing something?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 21 jul 2008
in microsoft.public.windows.terminal_services:

> The GPO is a computer setting not a user setting. Therefore it
> doesn't matter if the users are part of the domain or not. The
> GPO will work fine.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16...
>> amos <amos@amos2.com> wrote on 20 jul 2008:
>>
>>> In article
>>> <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>,
>>> vera.noest@remove-this.hem.utfors.se says...
>>>> No, that was not clear from your first post. The users or the
>>>> clients must belong to your domain, otherwise the GPO won't
>>>> be applied to them.
>>>> _________________________________________________________
>>>> Vera Noest
>>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>> TS troubleshooting: http://ts.veranoest.net
>>>>
>>> OK, then is there any way to force 'external' users to have to
>>> manually enter a password?
>>
>> If you don't have any control over the user accounts or the
>> clients, no, I don't think so. Not without an additional logon
>> requirement, like smart cards or something like that.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> *----------- Please reply in newsgroup -------------*

amos · Jul 21, 2008

Re: Any way to force users to log in manually?

Yes, sorry for the original post being less than lucid. I thought I had
laid it all out but it was pretty skimpy on my situation. For my
particular situation it's true, the users are widely dispersed, many
will be operating out of home offices, and not part of any lan or
domain. It'd be very cool if the gpo setting did result in any and all
requests for an rd connection to need manual password entry, so it'll be
interesting to see what the upshot is. I may be able to experiment with
the server in question, but that'd not be my first choice.

TP · Jul 22, 2008

Re: Any way to force users to log in manually?

Hi,

On the server:

1. Open Terminal Services Configuration (tscc.msc)
2. Right-click RDP-Tcp and choose Properties
3. On the Logon Settings tab, choose "Always use the following logon information"
4. Leave the User name field blank
5. If the server is joined to a domain and you would like the logon screen to
default to the domain, enter the domain name in the Domain field
6. Check "Always prompt for password"
7. Click the OK button

Now your server will prompt for user name and password when users
connect via RDP, regardless of their client settings.

Thanks.

-TP

amos wrote:
> Many of our offsite users have saved Remote Desktop Connection (.rdp)
> files saved with the password. Is there any way to have TS 2003 reject
> that kind of login, and ask for it to be manually typed in?

TP · Jul 22, 2008

Re: Any way to force users to log in manually?

Hi Vera,

That hotfix allows you to control whether users are able to save
passwords in an .rdp file. This is a useful feature for security
purposes on client PCs, but does not affect how the server
will respond if a RDP client presents saved credentials.

What is needed is to change the setting on the server.

There is a brilliant individual that maintains an FAQ on such
matters, you may want to take a look:

http://tinyurl.com/63s5o8

Thanks.

-TP

Vera Noest [MVP] wrote:
> Yes.
>
> 839918 - Hotfix that lets you control whether a user can save a
> password for Remote Desktop Connection sessions to a terminal server
> in Windows XP or in Windows 2000
> http://support.microsoft.com/?kbid=839918
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___

Vera Noest [MVP] · Jul 22, 2008

Re: Any way to force users to log in manually?

Aaaah, I see. I was thinking about the client side of things only.
Thanks, TP!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"TP" <tperson.knowspamn@mailandnews.com> wrote on 22 jul 2008 in
microsoft.public.windows.terminal_services:

> Hi Vera,
>
> That hotfix allows you to control whether users are able to save
> passwords in an .rdp file. This is a useful feature for
> security purposes on client PCs, but does not affect how the
> server will respond if a RDP client presents saved credentials.
>
> What is needed is to change the setting on the server.
>
> There is a brilliant individual that maintains an FAQ on such
> matters, you may want to take a look:
>
> http://tinyurl.com/63s5o8
>
> Thanks.
>
> -TP
>
> Vera Noest [MVP] wrote:
>> Yes.
>>
>> 839918 - Hotfix that lets you control whether a user can save a
>> password for Remote Desktop Connection sessions to a terminal
>> server in Windows XP or in Windows 2000
>> http://support.microsoft.com/?kbid=839918

Vera Noest [MVP] · Jul 22, 2008

Re: Any way to force users to log in manually?

"TP" <tperson.knowspamn@mailandnews.com> wrote on 22 jul 2008 in
microsoft.public.windows.terminal_services:

> There is a brilliant individual that maintains an FAQ on such
> matters, you may want to take a look:
>
> http://tinyurl.com/63s5o8

LOL

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

amos · Jul 22, 2008

Re: Any way to force users to log in manually?

In article <ecNh0MA7IHA.5820@TK2MSFTNGP04.phx.gbl>,
tperson.knowspamn@mailandnews.com says...
> Hi,
>
> On the server:
>
> 1. Open Terminal Services Configuration (tscc.msc)
> 2. Right-click RDP-Tcp and choose Properties
> 3. On the Logon Settings tab, choose "Always use the following logon information"
> 4. Leave the User name field blank
> 5. If the server is joined to a domain and you would like the logon screen to
> default to the domain, enter the domain name in the Domain field
> 6. Check "Always prompt for password"
> 7. Click the OK button
>
> Now your server will prompt for user name and password when users
> connect via RDP, regardless of their client settings.
>
> Thanks.
>
> -TP
That's almost perfect. The only issue with this approach is that the
user has to enter their login as well as the password. But, pretty
workable. Thank you.

Jeff Pitsch · Jul 22, 2008

Re: Any way to force users to log in manually?

You apply the setting to the Terminal Server not the end points.

Jeff Pitsch
Microsoft MVP - Terminal Services

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AE2DF67FD4F8veranoesthemutforsse@207.46.248.16...
> But as I understand it now, neither the users nor the clients are
> part of the domain. Then I don't see how it can be done. Or am I
> missing something?
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote on 21 jul 2008
> in microsoft.public.windows.terminal_services:
>
>> The GPO is a computer setting not a user setting. Therefore it
>> doesn't matter if the users are part of the domain or not. The
>> GPO will work fine.
>>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>>
>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9AE29E12730veranoesthemutforsse@207.46.248.16...
>>> amos <amos@amos2.com> wrote on 20 jul 2008:
>>>
>>>> In article
>>>> <Xns9AE1DFE4CAB3Everanoesthemutforsse@207.46.248.16>,
>>>> vera.noest@remove-this.hem.utfors.se says...
>>>>> No, that was not clear from your first post. The users or the
>>>>> clients must belong to your domain, otherwise the GPO won't
>>>>> be applied to them.
>>>>> _________________________________________________________
>>>>> Vera Noest
>>>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>>> TS troubleshooting: http://ts.veranoest.net
>>>>>
>>>> OK, then is there any way to force 'external' users to have to
>>>> manually enter a password?
>>>
>>> If you don't have any control over the user accounts or the
>>> clients, no, I don't think so. Not without an additional logon
>>> requirement, like smart cards or something like that.
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> *----------- Please reply in newsgroup -------------*

Any way to force users to log in manually?

amos

Guest

Vera Noest [MVP]

Guest

Jeff Pitsch

Guest

Vera Noest [MVP]

Guest

amos

Guest

Vera Noest [MVP]

Guest

amos

Guest

Vera Noest [MVP]

Guest

Jeff Pitsch

Guest

Jeff Pitsch

Guest

Vera Noest [MVP]

Guest

amos

Guest

TP

Guest

TP

Guest

Vera Noest [MVP]

Guest

Vera Noest [MVP]

Guest

amos

Guest

Jeff Pitsch

Guest