I have a Windows 2008 Terminal Server. Terminal Server Configuration(licence server, session broker, etc) is managed by group policy. If i want to disable logon via:

change logon /disable

The Error Message: "Connections are currently ENABLED by Group Policy for this machine, unable to change."

Is there a smart way to fix this?

btw. is there some way to look into the session broker database?


There's a group policy setting that explicitly sets this, located here: Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services -> "Allow users to connect remotely via Terminal Services"

To fix the issue, you need to unset (not 'disable') this on the GPO. After a policy refresh you should get back the ability to control logon availability.


You can also remove Group Policy's ability to actually apply that setting by setting up the permissions without System. Mark Russinovich has a good article on doing this.

http://blogs.technet.com/b/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx

This is slightly better than a Scheduled Task to change the registry value. I wouldn't call it elegant, though :)

But really, the right way to do this is to either unset the Group Policy (as Chris Thorpe said), or disable inheritance for the server's OU and make another GPO without that particular policy.

EDIT: You can also use WMI filtering to exclude that particular server from receiving the entire policy. Note that if a particular GPO is filtered out, the ENTIRE GPO's policies are not applied. If you go this route, I'd recommend breaking out the Terminal Server connection policy into a new GPO, so the rest of the settings aren't ignored.

Microsoft TechNet info: http://technet.microsoft.com/en-us/library/cc779036(WS.10).aspx

Filtering based on computer name (scroll down for the answer): http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_22864893.html