A: When administrators connect to a remote computer using RDP, their credentials are normally stored on the remote computer, which is a security threat if that system has been compromised. Restricted Admin mode for RDP allows administrators to connect to a remote system using RDP, without having to worry about exposing their credentials to system that might be less secure or even compromised.
To use Restricted Admin mode, an additional parameter must be added to the Remote Desktop client application at the command line, as follows:
Restricted Admin mode is disabled by default. You can enable it locally by changing the DisableRestrictedAdmin registry entry on the RDP client. This REG_DWORD entry is located in the HKLM\System\CurrentControlSet\Control\Lsa registry key. If you set DisableRestrictedAdmin to the value of 0, you will enable Restricted Admin mode. When enabled, Restricted Admin mode will be used on all RDP connections from that particular RDP client.
You can also enable Restricted Admin mode centrally using the Restrict delegation of credentials to remote servers Group Policy Object (GPO) setting. This setting is located in the Computer Configuration\Administrative Templates\System\Credentials Delegation GPO container.