How to restrict nested remote desktop sessions?

[Guest]

I need to find a way to block out nested remote desktop sessions on Windows
2003 servers... for example, if a user makes a remote desktop connection from
his XP workstation over to server "A", and then from that remote session,
makes a subsequent remote desktop connection over to server "B". I want to be
able to force the user to only go directly from his workstation to each
server via remote desktop, but I don't to prohibit remote desktop sessions
from server "A" to server "B" when you're sitting at server A's physical
console. Is this possible? All users of remote desktop sessions have to log
in as local administrator too, because of the stupid way the application
running on each server was written.

 

[Vera Noest [MVP]]

The easiest way to achieve this is by changing the NTFS permission
on mstsc.exe on the server.
But that won't work if your users are local Administrators, and
they really shouldn't be! If they are, you have far more problems
ahead of you than users starting nested rdp sessions.

I understand that some applications don't work out-of-the-box on a
TS, but it should *never* be necessary to make users
Administrators.

Instead, download FileMon and RegMon from
http://www.sysinternals.com/. Run them as administrator (when no
user is connected), start a TS session as a normal user and try to
run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.