Deny New User Logons to a Terminal Server

Applies To: Windows Server 2008

You can configure the user logon mode on the terminal server to prevent new user sessions from being created on the terminal server. This capability is new for Windows Server 2008.

You might want to prevent new user sessions from being created on the terminal server when you are planning to take the terminal server offline for maintenance or to install new applications.

You can specify one of the following settings for the user logon mode:

  • Allow all connections

  • Allow reconnections, but prevent new logons

  • Allow reconnections, but prevent new logons until the server is restarted

By default, Allow all connections is selected and is the recommended setting. This allows users to connect remotely to the terminal server to establish a remote session.

If you select Allow reconnections, but prevent new logons, a user who already has a remote session running on the terminal server can reconnect to that session. However, a new user—that is, a user that does not currently have a remote session running on the terminal server—will not be able to connect to the terminal server. If the terminal server is restarted, no users will be able to connect to the terminal server.

If you select Allow reconnections, but prevent new logons until the server is restarted, a user who already has a remote session running on the terminal server can reconnect to that session. However, a new user—that is, a user that does not currently have a remote session running on the terminal server—will not be able to connect to the terminal server. If the terminal server is restarted, the user logon mode will be set to Allow all connections and users will be able to connect to the terminal server.

Use the following procedure to configure the user logon mode on the terminal server.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure the user logon mode on the terminal server

  1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

  2. Under General, double-click User logon mode.

  3. On the General tab of the Properties dialog box, select the user logon mode setting that is most appropriate for your environment, and then click OK.

You can also use the change logon command at a command prompt to configure the user logon mode on the terminal server. For more information about the change logon command-line tool, see the Terminal Services Command Reference (http://go.microsoft.com/fwlink/?LinkId=89674).

If you want to prevent all users—even users with remote sessions running on the terminal server—from being able to connect remotely to the terminal server over a given connection, you can disable the connection. For more information about disabling a connection, see Disable a Terminal Services Connection.

Additional references