- Select a category.
Do not allow local administrators to customize permissions
This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server.
You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes.
If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.
If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
Registry Information
| Vendor | Microsoft |
|---|---|
| Product | Terminal Server |
| Category | Remote Desktop Services › Remote Desktop Session Host › Security |
| Applies to | Computer Configuration |
| Supported on | Windows NET |
| Registry Key | [HKLM]SOFTWAREPoliciesMicrosoftWindows NTTerminal Services |
| Value Name | fWritableTSCCPermTab |
| Type | REG_DWORD |
| Enabled value | 0 |
| Disabled value | 1 |
Registry File (.reg)
Windows Registry Editor Version 5.00
; Enable the policy
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services]
"fWritableTSCCPermTab"=dword:00000000
; Disable the policy
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services]
"fWritableTSCCPermTab"=dword:00000001PowerShell
# Enable the policy
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" -Name "fWritableTSCCPermTab" -Value 0 -Type DWord
# Disable the policy
Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services" -Name "fWritableTSCCPermTab" -Value 1 -Type DWord