"Do not display last username" with Remote Desktop on Server 2008
I just deployed my first Server 2008 box in our internal environment for
testing. We do nearly all management via remote desktop. One of our
corporate security policies is to NOT show the last logged on user, to
prevent information disclosure of our admin usernames. We use a GPO in our
domain to control the "Interactive logon: Do not display last username"
setting to set it to ENABLED for all servers. This works on all Server 2003
boxes flawlessly. The Server 2008 box works when you are at the physical
console, but when you remote desktop, you are presented with the "logon
icons" where you can select the last user or "other user." This behavior
violates our corporate security policy.
I double checked the setting by running rsop.msc. The policy is being
applied and is set to "ENABLED." I also checked the Local Security Policy,
which shows it set to enabled as well, and the little "policy" icon is there
to show group policy governs this setting (so it is not changable).
Is there a new setting specific to terminal services? I went to the
Terminal Services administrative template and didn't see anything there that
might be helpful. I also went to the Terminal Services Configuration MMC,
nothing was helpful there either.
I'm thoroughly lost here, because from what I read, all you need to do is
set the "Do not display last user name" and all will be well. But it's not
working.
Re: "Do not display last username" with Remote Desktop on Server 2008
If you are fill in the mstsc/remote desktop window the username it will be
automatically saved on the local machine, so make sure that the username
is not set there if you close mstsc/remote desktop. Leave the username field
empty.
Re: "Do not display last username" with Remote Desktop on Server 2008
Hi guys I SOLVED THIS ...
please read point 2 of this article ... - God Luck !
Re: "Do not display last username" with Remote Desktop on Server 2008
Hi Elmoro,
I can't see your solution for the interactive logon in your post. What did you do to fix this.
Thanks!
Re: "Do not display last username" with Remote Desktop on Server 2008
Hey, I spent quite awhile to figure this one out.
The last username information is actually stored locally on the client side, not on the 2008 server. This information is held in the
\MyDouments\Default.rdp file and in the registry at
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default. You will find a bunch of MRU keys that you should delete. You should also delete the keys in HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers.
Good news is the display of the last username can also be controlled on the server side.
Go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
In the window that appears, right-click on the item in the "Connections window" and click properties. In the "Log on settings" tab, check the middle option, "Always use the following logon information" an leave every field blank. Click, apply, Ok. Logout and log back in. The last user name should be gone form the RDP screen.
You really have two choices in how to handle this:
1) Delete RDP file and registry items on the client every time it is used for RDP
OR
2) make the changes on the server to ignore the client's supplied logon info.