Step-By-Step: Enabling Restricted Admin Mode for Remote Desktop Connections

Introduced in Windows Server 2012 R2, Restricted Admin mode addresses the ability for a hacker to access plain-text or any other re-usable form of credentials to the remote PC or Server.  The solution will also not allow access to any other network resources from that pc or server through restricted admin mode connection with out re-authenticating. An example of this can be see in the video below just before the 59th minute:

 

 

 

First we must enable a target on said server before enabling Restricted Admin mode. To do that we need to add a registry entry.

1)    Log in to server or pc as administrator
2)    Start > Run > regedit rdp1

3)    Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4)    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0 rdp2

NOTE: A reboot is nor required to apply the changes and can also be published via a group policy setting.

rdp3

If above is not done, when you connect to the server with Restricted Admin Mode you will get following error

rdp4

With restricted mode now enforced, you can connect to target with using one of following methods:

rdp5 rdp6

In my testing I am using a member server in domain and I am login in with Domain admin account.
Now in the whoami /groups it shows I am a domain admin and enterprise admin.

rdp7

Now I am trying to connect to another server DCP01 using Server Manager

rdp8

Then it gives access denied error even I am Domain admin.

rdp9
So yes with restrict mode you can’t connect to other network resources as its not passing the credentials.
You can enable Restricted Admin Mode for computers using GPO. So when you use RDP client from those PC by default it will use Restricted Admin mode.

To do that in GPO go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credential to remote servers to enable rdp10

Hope this article helps to understand Restricted Admin mode for RDP and way to use it.