Windows 7 Remote Desktop Connection Save Credentials not working
Solution 1:
i found the solution. It was at the same time both subtle, and obvious.
As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:
- Prompt for credentials on the client computer
- Do not allow passwords to be saved
i was checking them on the server:
i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:
On my client Windows 7 machine, the policy was:
- Do not allow passwords to be saved: Enabled
- Prompt for credentials on the client computer: Enabled
i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though
Do not allow passwords to be saved
is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.
The truth table of functioning:
Do not allow saved Prompt for creds Works for 2008+ servers Works for 2003 R2- servers
================== ================ ======================= ==========================
Enabled Enabled No Yes
Enabled Not Configured No No
Not Configured Enabled Yes Yes
Not Configured Not Configured Yes Yes
So there is the trick. The group policy settings under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client
on the client machine need to be configured with:
- Do not allow passwords to be saved: Not Configured (critical)
- Prompt for credentials on the client computer: Not Configured
The other source of confusion is that while
- a domain Enabled policy cannot override a local Disabled
- a domain Disabled policy can be overridden by a local Enabled policy
Which again leads to a truth table:
Domain Policy Local Policy Effective Policy
============== ============== ==============================
Not Configured Not Configured Not configured (i.e. disabled)
Not Configured Disabled Disabled
Not Configured Enabled Enabled
Disabled Not Configured Disabled
Disabled Disabled Disabled
Disabled Enabled Disabled (client wins)
Enabled Not Configured Enabled
Enabled Disabled Enabled (domain wins)
Enabled Enabled Enabled
Solution 2:
Since the direct answer to the question is already there, I'll suggest an alternative approach.
Remote Desktop Connection Manager (RDCMan) is a tool written by Julian Burger and used internally in Microsoft. It's very lightweight and free and in my opinion it greatly improves productivity, especially when you maintain many connections. And yes, it stores passwords too (in xml configuration file).
Advantages:
- You can organize connections in hierarchies, which inherit properties (e.g. credentials, color settings, resolution).
- All configuration, including hashed passwords, is stored in one file - easy to move between computers.
- Lightweight, free, reliable.
Disadvantages:
- Some people don't like the navigation menu on the left when not in full screen mode. Personally, I got used to it quickly.
Screenshot from the article:
How Sysadmins RDP efficiently using Remote Desktop Connection Manager
Solution 3:
The most detailed answer is already there, made by asker. I only want to note that this problem may also happen when client computer OS is a home SKU, thus no local GP editor may be available, neither a domain policy is in effect. Nevertheless, the client may act as if the policy to always ask password is set (don't know what causes such a default - maybe some program installed?).
Then, it is useful to set the policy registry setting manually (MS RDP client checks it; you may find it using a tool like procmon). It is here:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"PromptForCredsOnClient"=dword:00000000
"DisablePasswordSaving"=dword:00000000
Solution 4:
Reading through your questions, I stumbled over this Group Policy setting: Prompt for credentials on the client computer which you disabled.
MS Technet gives the following explanation on this setting:
Prompt for credentials on the client computerThis policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to a terminal server.
If you enable this policy setting, a user will be prompted on the client computer—instead of on the terminal server—to provide credentials for a remote connection to a terminal server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
Note If you enable this policy setting and a user is prompted on both the client computer and on the terminal server to provide credentials, run the Terminal Services Configuration tool on the terminal server, and in the Properties dialog box for the connection, clear the Always prompt for password check box on the Log on Settings tab.
If you disable or do not configure this policy setting, the version of the operating system on the terminal server will determine when a user is prompted to provide credentials for a remote connection to a terminal server. For Windows 2000 and Windows Server 2003, a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008, a user will be prompted on the client computer to provide credentials for a remote connection.
That sound exactly to be the scenario you are facing. You want to save the credentials on the client machine, so just enable the Prompt for credentials on the client computer setting.
Solution 5:
In my case, the issue was that the *.rdp file downloaded from Microsoft Azure had the following line:
prompt for credentials:i:1
Normally checking 'save credentials' would change that line, but for some reason it also comes marked as 'read-only'.
Unmarking it as 'read-only' and changing the line to
prompt for credentials:i:0
in notepad fixed the issue.