i found the solution. It was at the same time both subtle, and obvious.
As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:
- Prompt for credentials on the client computer
- Do not allow passwords to be saved
i was checking them on the server:
i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:
On my client Windows 7 machine, the policy was:
- Do not allow passwords to be saved: Enabled
- Prompt for credentials on the client computer: Enabled
i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though
Do not allow passwords to be saved
is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.
The truth table of functioning:
Do not allow saved Prompt for creds Works for 2008+ servers Works for 2003 R2- servers
================== ================ ======================= ==========================
Enabled Enabled No Yes
Enabled Not Configured No No
Not Configured Enabled Yes Yes
Not Configured Not Configured Yes Yes
So there is the trick. The group policy settings under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client
on the client machine need to be configured with:
- Do not allow passwords to be saved: Not Configured (critical)
- Prompt for credentials on the client computer: Not Configured
The other source of confusion is that while
- a domain Enabled policy cannot override a local Disabled
- a domain Disabled policy can be overridden by a local Enabled policy
Which again leads to a truth table:
Domain Policy Local Policy Effective Policy
============== ============== ==============================
Not Configured Not Configured Not configured (i.e. disabled)
Not Configured Disabled Disabled
Not Configured Enabled Enabled
Disabled Not Configured Disabled
Disabled Disabled Disabled
Disabled Enabled Disabled (client wins)
Enabled Not Configured Enabled
Enabled Disabled Enabled (domain wins)
Enabled Enabled Enabled
You can follow the answer https://superuser.com/a/719819/750636, it works also for Windows 10 (I have Win 10 Home).
It's basically about adding a builtin group Remote Desktop Users (which is different from if you add group manually with net localgroup
add command, even if it has same name). Then you can add your common non-admin users to that group using net localgroup
command.
Also don't forget, that you need temporarily to elevate your permissions to merge new values into registry. You can do it in regedit on key HKEY_LOCAL_MACHINE\SAM\SAM
(right-click on key node -> Permissions -> select Administrators -> check Full Control -> OK). After merging the .reg file into registry, you better remove Full Control permissions of Adminitrators group from that key node.
Also there is a good guide summary on RdpWrap github. They use PsExec to start regedit as System user, which is also good, because you don't need change any permission in regedit.
Best Answer
Instead of editing the User Rights Assignment on your workstations, consider using a Group Policy Preference (GPP) setting to modify the membership of the Remote Desktop Users group. By default, anyone that is a member of this group will be granted permission to establish a RDC connection to the machine.
Edit the membership of the Remote Desktop Users group with a Group Policy Preference (GPP) setting as follows:
Computer Configuration/Preferences/Control Panel Settings
Right-click Local Users and Groups and choose New > Local Group
Set Action: to Update
The advantage of this method is that you can easily grant/revoke Remote Desktop permissions by modifying a user's membership in the My Remote Desktop Users group, instead of having to edit Group Policy to set a new User Rights Assignment policy then wait for it to propagate to your workstations.
Further, edits to the User Rights Assignment policy are not cumulative. In other words, if you have two Group Policies that modify that policy, only one will have an effect. On the other hand, multiple GPPs can be specified to modify the membership of the Remote Desktop Users group.