Activación del modo restringido de administración de conexiones de escritorio remoto


First we must enable a target on said server before enabling Restricted Admin mode. To do that we need to add a registry entry.

1)    Log in to server or pc as administrator
2)    Start > Run > regedit


3)    Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
4)    Add Registry Key DisableRestrictedAdmin Type: REG_DWORD Value: 0


NOTE: A reboot is nor required to apply the changes and can also be published via a group policy setting.


If above is not done, when you connect to the server with Restricted Admin Mode you will get following error


With restricted mode now enforced, you can connect to target with using one of following methods:



In my testing I am using a member server in domain and I am login in with Domain admin account.
Now in the whoami /groups it shows I am a domain admin and enterprise admin.


Now I am trying to connect to another server DCP01 using Server Manager


Then it gives access denied error even I am Domain admin.

So yes with restrict mode you can’t connect to other network resources as its not passing the credentials.
You can enable Restricted Admin Mode for computers using GPO. So when you use RDP client from those PC by default it will use Restricted Admin mode.

To do that in GPO go to Computer Configurations > Policies > Administrative Templates > System > Credential Delegation
Then Set Restrict Delegation of credential to remote servers to enable