A new feature has been added to RDP 8.1, currently available in Windows 8.1 preview and Windows Server 2012 R2. The feature is called Restricted Admin (mstsc /RestrictedAdmin).
The description taken from the mstsc client:
“…/restrictedAdmin -- Connects you to the remote PC or server in Restricted Administration mode. In this mode, credentials won’t be sent to the remote PC or server, which can protect you if you connect to a PC that has been compromised. However, connections made from the remote PC might not be authenticated by other PCs and servers, which might impact app functionality and compatibility. Implies /admin…”
The parameter can be added on the commandprompt using it as follows:
or in the GUI, as shown below:
When using the above method the following error message occurs:
After clicking Ok, you can still continue so I’m assuming this is a bug in the preview release.
Using this RestrictedAdmin option the credentials you connect with are not passed to your session and therefor it prevents you from connecting to other resources despite for example your membership of the domain admins group.
I did a quick test and connected with my Windows Surface Pro running Windows 8.1 to a Windows Server 2012 R2 with my domain admin credentials and the /RestrictedAdmin switch enabled.
Upon browsing to the administrative share \\dc01-demo\c$ on the domain controller I was presented with an access denied:
It’s an interesting feature, I could think of some “delegation of control” scenario’;s where this might be useful.
There a a very detailed blog here by Kurt Falde that brought this to my attention. If you’re interested, it’s a good read!
What do you think about the feature? Is it useful for your environment or your customers environment? I’d be happy to hear about that!