Windows Gatekeeper QAs

Windows Gatekeeper Q&As

Understanding and Enabling the Restricted Admin Mode for RDP

Q: What is the security value of the Restricted Admin mode for RDP that Microsoft includes in Windows 8.1 and Windows Server 2012 R2?

A: When administrators connect to a remote computer using RDP, their credentials are normally stored on the remote computer, which is a security threat if that system has been compromised. Restricted Admin mode for RDP allows administrators to connect to a remote system using RDP, without having to worry about exposing their credentials to system that might be less secure or even compromised.

To use Restricted Admin mode, an additional parameter must be added to the Remote Desktop client application at the command line, as follows:

mstsc.exe /RestrictedAdmin

Restricted Admin mode is disabled by default. You can enable it locally by changing the DisableRestrictedAdmin registry entry on the RDP client. This REG_DWORD entry is located in the HKLM\System\CurrentControlSet\Control\Lsa registry key. If you set DisableRestrictedAdmin to the value of 0, you will enable Restricted Admin mode. When enabled, Restricted Admin mode will be used on all RDP connections from that particular RDP client.

You can also enable Restricted Admin mode centrally using the Restrict delegation of credentials to remote servers Group Policy Object (GPO) setting. This setting is located in the Computer Configuration\Administrative Templates\System\Credentials Delegation GPO container.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.