To disable Remote Desktop (RDP) on a Windows Server 2019 Domain Controller (DC) for security hardening, you must use a Group Policy Object (GPO) that specifically targets the Domain Controllers Organizational Unit (OU). Manual changes on a DC are frequently overwritten by the default domain policies.
1. Disable RDP via Group Policy
This is the most effective way to ensure RDP stays off across your domain controllers.
- Open Group Policy Management (gpmc.msc) on any management machine or the DC itself.
- Navigate to Domain Controllers OU.
- Right-click and Create a GPO in this domain, and Link it here… (e.g., name it “Disable RDP – DC Hardening”).
- Edit the new GPO and go to: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
- Double-click Allow users to connect remotely by using Remote Desktop Services and set it to Disabled.
- Run gpupdate /force in an admin Command Prompt to apply the change immediately.
Comments are closed