As consultants, we are constantly using remote desktop to connect to servers and workstations in a remote fashion. If the boxes we're trying to connect to are Microsoft servers or workstations, then using Microsoft's Remote Desktop is a breeze. (In Windows 2000 days the feature was called Terminal Services in Remote Administration mode.)

My problem with the RDP (Remote Desktop Protocol) process was connecting to a remote machine if the server was deployed without having the little checkbox checked next to the option Enable Remote Desktop on this Computer. See this dialog box below – this is from looking at the Properties of my server and choosing the Remote tab.

So, if a server is deployed like this, you can't remotely connect to it via the RDP protocol with the remote desktop application. Now, you can physically connect to the server to enable the checkbox option, but sometimes that's inconvenient or impossible.

Attempting to connect to a machine using Microsoft's remote desktop connection when the remote feature has been left off (by default the remote desktop box is not checked) reveals this error message:

So, in this article I'll show you how to remotely enable this checkbox. Once the box has been "checked" so-to-speak, then you can remotely connect using Microsoft's remote desktop application.

The solution is to use a different machine to connect to the "un-touchable" machine's registry to "enable" this checkbox. Let's say I'm sitting at my XP Pro workstation and I need to remotely administer the Windows Server 2003 machine at 10.0.0.10. This is the scenario.

First, I need to open the registry editor on my local workstation. So I click Start and type REGEDIT on the run line. I now need to select the Connect Network Registry option from the File menu like you see me doing below.

This menu opens the Select Computer search dialog box. Now, I need to either browse Active Directory to locate the remote server, or simply type its name in the textbox labeled Enter the object name to select.

After clicking OK, a node will be displayed in the Registry Editor tool for this remote server I'm trying to connect to.

Now I browse to the location listed below from the node just added to the Editor:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

From the Terminal Server key, I look for the REG_DWORD value named fDenyTSConnection.

I Double-click on that value to open the Edit DWORD Value box and change the data from a 1 to a 0. The default value of 1 means that Terminal Services is in fact being denied – hence the reason I couldn't connect. Changing the value to a 0 means to NOT deny Terminal Services.

Choosing OK will complete this process of not denying Terminal Services which in effect "checks the box" I spoke of earlier.

But, I'm not done yet. One last step to perform to complete this process is I need to reboot the server I'm trying to connect to. Obviously this cannot be performed during critical times the server is needed. But, when the time is right I can remotely reboot the box using Microsoft's Shutdown command. This command will – when switches are used correctly – will allow me to remotely reboot the server. When the server comes back up again, I can now successfully connect to this server.

The command to remotely reboot the server is:

Shutdown –m \\server_name –r

I enter the correct server name in place of my "server_name" text, or I can enter it's IP address instead. If I enter it's name, I will not enter it's fully-qualified domain name – just its NetBIOS name. The –r switch tells the tool to restart the server instead of truly shutting it down. This switch is critical for obvious reasons. There are tons of options I can use with this command. One nice switch is the switch to have the shutdown process start in a value of time. The –t xxx switch will allow me to schedule the shutdown in xxx number of seconds. Usually a value of 30 for 30 seconds works well.

Once the server is back up and running, I'll have no problem using Microsoft's remote desktop to access the server. Of course, I must have proper permissions to do so.

One last observation I've noticed using this handy trick – the process I've described here works exactly as described when the server I'm trying to remotely connect to has never had its remote connectivity options enabled – such as on a brand-new machine. A reboot is required to fully complete this process. However, once the server has been restarted, you can always remotely connect to the server using REGEDIT in the same manner I've described here to remotely change the fDenyTSConnection option back to a value of 1. This will once again render the server so no one can remotely connect using remote desktop software. Once this value is set back to a 1 – and even when you later come back and change the value again back to a 0 from the 1 value – you will no longer have to reboot the server. It's only the very first time a change is made to the registry keys will you have to reboot the server. Therefore, after the first time you can easily switch back and forth with the 0 or 1 values to turn on or off the remote connectivity and not have to affect the operation of the server.

Mark Myers

Senior Consultant