Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!

How to Connect to a Windows 8.1 or Server 2012 R2 Remote Desktop Using Restricted Admin Mode

I’d like to use Restricted Admin mode to connect to a Windows 8.1 Remote Desktop. How can I do that?

Windows 8.1 and Windows Server 2012 R2 contain a series of enhancements that are designed to protect Windows against pass-the-hash (PtH) attacks. Password hashes are stored on disk and memory, and if compromised, they can be used by hackers to gain access to systems without a user’s plaintext password.

A new feature that helps prevent this kind of attack in Windows 8.1 and Server 2012 R2 is the option to connect to Remote Desktops without sending credentials across the network. As such, credentials are never present on the remote box, which in turn reduces the risk of credential compromise if the remote machine is infected with malware designed.

Usage scenarios

An example of when Remote Desktop Restricted Admin mode might come in handy is when connecting from a trusted management PC to a remote device that doesn’t have the same level of trust, and is more likely to be infected with a virus. In this case, the helper’s credentials are less likely to be compromised when connecting to the remote machine because they are never sent or stored on the remote device.

Does that mean I don’t need to worry about using privileged credentials for everyday support work?

Despite the welcome PtH mitigations in Windows 8.1 and Remote Desktop Restricted Admin mode, it is still best practice not to use privileged credentials, such as local or domain administrator accounts, for everyday computing tasks or supporting other users on your network.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Restricted Admin mode: Remote Desktop connection Windows 8.1 Server 2012 R2

Connect using Restricted Admin mode

Restricted Admin mode is implemented as a switch from the command line. All you need to do is make sure you are connecting to and from Windows 8.1 or Server 2012 R2. When the /restrictedadmin switch is used, Windows tries to log you on to the remote box interactively. One disadvantage is that you might not be able to hop to other PCs or networked services.

Open a command prompt, type mstsc /restrictedadmin and press ENTER to connect to a remote Windows 8.1 or Server 2012 R2 device using Restricted Admin mode. Once the Remote Desktop Connection app has opened, you can connect as normal.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “How to Connect to a Windows 8.1 or Server 2012 R2 Remote Desktop Using Restricted Admin Mode”

  1. Restricted Admin Mode: Connect a Windows Remote...

    [...] Learn to use Restricted Admin mode to connect a remote desktop in Windows 8.1 and Server 2012 R2. Improve security with this helpful guide.  [...]

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By