5

I've tried going into group policy and enabling/disabling some of the relevant policies but I still see this:

enter image description here

It doesn't matter that I check Remember me & enter the correct password.

The credentials are stored locally but aren't being used:

enter image description here

I am connecting from Windows 10 to Windows 7.

gupdate output:

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\> gpupdate.exe
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Grabbing the GPRESULT /H GPReport.html

Registry    Failed  12/12/2017 4:06:01 PM
Registry failed due to the error listed below.

Unspecified error

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 12/12/2017 4:06:01 PM and 12/12/2017 4:06:01 PM.

GPReport.html contains:

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Policy  Setting Winning GPO
Always prompt for password upon connection  Enabled {ID}, domain.com

However, in the group policy editor:

enter image description here

How do I force disable that policy?

Status3543
  • 3,461

5 Answers5

3

This is happening because the machine from which you are attempting to initiate the Remote Desktop Connection does not allow saving NTLM-only style credentials. This typically occurs when the computer initiating the Remote Desktop connection is in a different domain or workgroup than the computer being connected to.

You can override this behavior and enable saving RDP credentials by modifying the Allow Delegating Saved Credentials with NTLM-only Server Authentication Group Policy setting. It is found at:

Computer Configuration/Administrative Templates/System/Credentials Delegation

This policy must be modified on the machine that initiates the RDP connection (or must affect said machine if delivered via domain Group Policy).

To enable saving RDP credentials for all remote servers, enable the GP setting and in the Add servers to the list: setting within the policy, add the value TERMSRV/* as shown here:

enter image description here

If you instead only wish to enable delegation of credentials to a specific remote computer, enter it in the format TERMSRV/COMPUTERNAME. You may provide multiple values to configure multiple remote computers.

I say Reinstate Monica
  • 26,651
3

The IT team in my company has disabled the use of saved credentials, I have tried the solutions of TheKingOfScandinavia and "I say Reinstate Monica" but they do not work for me.

Instead I have resorted to a very low tech solution, a powershell script that opens the remote desktop window, waits, types in the password and press enter.

I find the solution ugly but it does the job, it saves me login into 5 machines manually everyday to ensure that our service account is logged in

Here is my powershell script: automaticMachineLogin.ps1

You just have to set your machine names, username and password

Set-PSDebug -Trace 0
$servers= @("SERVNAME1", "SERVNAME2", "SERVNAME3")
$username = "YOURUSERNAME";
# read the password from a file, or have it hardcoded
#$pw = Get-Content C:\pw.txt
$pw = "YOURPASSWORD";

echo "password read from file: " $pw


login with remote desktop


foreach ($server in $servers)
{

  mstsc /v:$server


wait X seconds for the window to appear


Sleep 5


creates a com object to send key strokes


$wshell = New-Object -ComObject wscript.shell;


send the password


$wshell.SendKeys($pw)


wait 1 second


Sleep 1


send enter, this is a special chararecters for enter


$wshell.SendKeys('~')
  Sleep 1
}


optionally kill the remote connection at the end, since all I want to login the user, but this is probably not required for others


kill all the remote desktop tasks, i.e. named mstsc.exe


Sleep 1
taskkill /IM "mstsc.exe" /F

Note that if you need to send some special characters other than enter, here is the full list , here is the full list in case you need special keys like shift, alt... https://docs.microsoft.com/en-us/previous-versions/office/developer/office-xp/aa202943(v=office.10)?redirectedfrom=MSDN

Franck Mesirard
  • 141
2

I can't comment to ask a clarifying question, so I'm forced to write this as an answer:

At [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services] is there a REG_DWORD named fPromptForPassword entry with the value of 1?

On my Windows 7 client, this setting is set to 1, and I am allowed to save my password when I connect to the remote host.

As far as I can read from this, the value is to be set to 0 on the client if the client is not supposed to be allowed to store the credentials.

Alternatively, a similar question was answered detailed here: https://superuser.com/a/140322/115387

TheKingOfScandinavia
  • 176
2

This drove me crazy tonight, so I wanted to post my results that worked in my environment.

RoyalTS error - The server's authentication policy does not allow connection requests using saved credentials.

Change the following Local GPO settings to "Not Configured".

  1. Edit: Local Group Policy Editor -> Local Security Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
  2. Set client connection encryption level - Enabled (High Level)
    a. Changed to - Not Configured
  3. Always prompt for password upon connection - Enabled
    a. Changed to - Not Configured
  4. Require secure RPC communication - Enabled
    a. Changed to - Not Configured
  5. From an elevated command prompt
    a. Run: "gpupdate /force"
  6. The system should now accept saved password for login via RDP.
  7. Test by running RSOP from an elevated command prompt
    a. verify changed settings do not exist
MandyDroid
  • 31
1

I followed what Franck Mesirard wrote on using powershell but I added the following since my password did have special characters.

#enclose any special characters in {} in the password
$pw = $pw -replace '([^\w\s])', '{$1}'
Edward Hernandez
  • 11