Do not allow local administrators to customize permissions

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2003, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista

This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.

This policy has no additional user input fields.

• Computer
  Always prompt for password upon connection

  At least Windows Server 2003 operating systems or Windows XP Professional
• Computer
  Disconnect remote session on lock for legacy authentication

  Windows 11 22H2 SERVER
• Computer
  Disconnect remote session on lock for Microsoft identity platform authentication

  Windows 11 22H2 SERVER
• Computer
  Enable Microsoft Entra ID Authentication Enforcement

  At least Windows 11 Version 24H2
• Computer
  Require secure RPC communication

  At least Windows Server 2003
• Computer
  Require use of specific security layer for remote (RDP) connections

  At least Windows Vista
• Computer
  Require user authentication for remote connections by using Network Level Authentication

  At least Windows Vista