Step-By-Step: Enabling Restricted Admin Mode for Remote Desktop Connections

Introduced in Windows Server 2012 R2, Restricted Admin mode addresses the ability for a hacker to access plain-text or any other re-usable form of credentials to the remote PC or Server.  The solution will also not allow access to any other network resources from that pc or server through restricted admin mode connection with out re-authenticating. An example of this can be see in the video below just before the 59th minute:

 

 

 

First we must enable a target on said server before enabling Restricted Admin mode. To do that we need to add a registry entry.

1)    Log in to server or pc as administrator
2)    Start > Run > regedit

3)    Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4)    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0

NOTE: A reboot is nor required to apply the changes and can also be published via a group policy setting.

If above is not done, when you connect to the server with Restricted Admin Mode you will get following error

With restricted mode now enforced, you can connect to target with using one of following methods:

In my testing I am using a member server in domain and I am login in with Domain admin account.
Now in the whoami /groups it shows I am a domain admin and enterprise admin.

Now I am trying to connect to another server DCP01 using Server Manager

Then it gives access denied error even I am Domain admin.

So yes with restrict mode you can’t connect to other network resources as its not passing the credentials.
You can enable Restricted Admin Mode for computers using GPO. So when you use RDP client from those PC by default it will use Restricted Admin mode.

To do that in GPO go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credential to remote servers to enable

Hope this article helps to understand Restricted Admin mode for RDP and way to use it.