So the caveat to this article is that this is specifically for Windows Servers. If you’re trying to enable multiple RDP sessions on Windows 10 or 11, you’ll need to do some further googling to find out how to do that – as this alone won’t be enough.
Enable Multiple RDP Sessions
Log into the server you are trying to enable multiple Remote Desktop sessions on.
Click on the start menu button, type “gpedit.msc” and open it.
I ran into this last week when I was helping someone “fix” their server. They couldn’t reach, or ping, their host, and when running an “ipconfig /all” command it was returning that the machine’s IP was ‘duplicate’.
Worth Noting: So sometimes when a server reports that its’ IP is a ‘duplicate’ it can be a DHCP mishap. It can happen when a server is assigned a static IP that is within a DHCP pool, and because there was no reservation, DHCP hands the IP out to some other machine. Thus two machines are trying to use the same, duplicate, IP address. When that happens you’ll need to resolve it by creating an IP reservation for the “correct” machine, and then releasing the IP from the machine that “incorrectly” took the IP from the pool so it can be assigned a new IP.
The machine I was fixing lived in a subnet that did not use DHCP and only had machines that were statically assigned their IPs in it. So the possible resolution mentioned above did not fit my scenario. So, what could it be? Well if you have a static IP set, and the DHCP service is enabled, Windows likes to give you an address on the 169.x.x.x network. Which just breaks the ip traffic on your server. Here’s how to fix it…
Step 1.
Open a command prompt
Step 2. Enter
"ipconfig /all"
Find what your system’s preferred IP is and if autoconfiguration is enabled, and the name of the interface that they are on. You will need this for the next step.
Step 3. Enter
netsh interface ipv4 show interface
Find the index number that is assigned to the interface you identified in the step above, you will need it in the next step.
Step 4.
Run the command below, but replace ’69’ with the index number that you identified in the step above.
netsh interface ipv4 set interface 69 dadtransmits=0 store=persistent
Step 5. Enter
services.msc
Disable the DHCP Client service. If you ever revert from a static IP back to a DHCP IP, you will need to re-enable this service and set it back to automatic.
Step 6.
Restart your computer. After your system reboots, its static IP should now be the correct IP you had configured on it, and your IP traffic to/from it should be back to normal.
Congratulations, autoconfiguration has been disabled.
So if you know anything about managing Windows systems then you know about GPOs. In my honest opinion, GPOs are one of the greatest tools available in Windows. GPOs let you administratively manage all aspects of your computers. You can literally set about 99.9999% of any settings you ever wanted to configure on a computer.
One of the things that make GPOs so great is that it is expandable in that you can add new administrative templates as you add new software to your workstations in your domain. So not only can you manage just about any Microsoft or Windows setting, but you can also add in templates for third-party software from most of the big software venders and enterprise applications, as well as add new templates when new Microsoft releases new OSes and software.
The biggest downside of GPOs is that they can feel like a daunting wall when you first get started implementing them simply because there are sooo many settings that you can potentially configure – where to begin!?! And how do you figure out where to set some of those really odd settings. Well don’t worry, I don’t know anyone that remembers exactly where each setting is. For me, there are two resources that I regularly use to help me find the settings that I want to configure.
This is an official Microsoft tool that lets you search all of the various settings that are available to you in all Microsoft products. It’s a great resource to find where things are set just by using a keyword. Think of it as “Bing” (or “Google”) for GPOs. Out of these two links, this site is the easiest to navigate when looking specifically for Microsoft and Windows settings.
This site includes all of the Microsoft settings, but where it really shines is all of the third-party software settings it has indexed for you. If need to figure out where to set something in Chrome or Adobe or any other software, this site has you covered.
So this last site is just a bonus as it is not exactly a GPO site, but it comes in handy. It’s a way to convert registry settings into powershell commands that you can run. Paste your reg key into it and it will spit out the corresponding PS command for it.
So here’s the scenario, you’ve RDP-ed into a server and you want to change your password. You try to hit CRTL+ATL+DEL but instead of it getting sent to the remote computer, it opens on your local machine. Blah! That is not what we want… How do we get to a place where we can change the password for the account that was used in the RDP session?
One way to send it within the RDP session is to launch the on-screen keyboard. To launch it, simply click on the ‘Start Menu’ and type “osk”, then click on the result to open the keyboard. With the OSK on screen, press and hold “CTRL+ALT” on your physical keyboard, and click “DEL” on the virtual keyboard button.
The easiest way to bring up the menu from where you can change your password is to press CRTL+ALT+END in the RDP window. Now if you are RDP-ed from a mac, you’ll need to do a CRTL+ALT+Fn+Backspace or CRTL+ALT+Fn+Right-Arrow to bring up the menu.
Sometimes things happen and a password gets forgotten or lost, or in the worst case it wasn’t updated in your password management tool after it was changed. We’ve likely all had to bug another admin to reset our password for one system or another. It happens. But what happens if you are the lone Domain Admin and lock yourself out? Luckily, there is a way to get back in if you do get locked out.
Download the Windows Server 2016 ISO.
Attach the ISO to your DC virtual machine.
Reboot the VM into the ISO
Select: Repair your Computer -> Troubleshoot -> Command Prompt
At the command prompt, run the following commands:
cd c:\Windows\System32
ren osk.exe osk.old
copy c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe osk.exe
Reboot the Server.
Launch the on-screen keyboard and PowerShell will open
At the Powershell prompt, run the following command, replacing <PASSWORD> with the password of your choice:
Net user Administrator <PASSWORD>
Revert file changes in your System32 folder, renaming ‘osk.old’ back to ‘osk.exe’.
And there you have it folks, you are now able to log back in with your Domain Admin account. This works because while the DC does not have a local Administrator account, it somehow realizes that and resets the Domain Admin. Yes it is a little bit of black magic fuckery in that regard… But it worked and got you back in, so who are we to complain.
This is a bit of a long post, so I apologize in advance… Sorry, but not sorry. There are a lot of things that you can customize in a RDS / RD Web Access deployment.
I’m doing these edits, or customizations on a Windows Server 2019 deployment, they should [in theory] work though on RDS deployments as far back as Windows Server 2012/R2, though your mileage may vary – see disclaimer below.
Standard disclaimer… Make sure to backup folders and files before you start making changes. I’m not responsible for anything you break, you’ve been warned.
Eliminate “/RDWeb” from the RDS URL
When adding the RD Web Access role on your remote desktop gateway or broker, it will auto-magically create the RDWeb website in IIS for you.
RDS sets up the the url for your site in the following format: “rds.playswellwithflavors.com/RDWeb” or “example.com/RDWeb”. However, you likely are not using this IIS host to serve up any other webpages other that RDS Web Access… So you probably want to eliminate the need for user to have to enter that “/RDWeb” at the end of the url. And make it appear as just “rds.playswellwithflavors.com” or “example.com”.
Microsoft makes this very easy to accomplish with a simple redirect in IIS.
Open IIS.
Click on the ‘Default Web Site’ in the left-side pane.
Click on ‘HTTP Redirect’ in right-side pane.
Check the box for ‘Redirect requests to this destination’. Enter in the field under it: /RDWeb
Click ‘Apply’.
Restart IIS
Test your website to confirm that you can reach it with the base url, without the “/RDWeb” appended at the end.
Password Reset Link
This customization will edit the Web Access Login Page to add a password reset link where users can change their AD passwords from the main login page.
Open IIS
In the left-hand pane, drill down into “Server”->”Sites”->”Default Site”->”RDWeb”->”Pages”
Double-click on “Application Settings” in the right-hand pane.
Find the value “PasswordChangeEnabled” and double-click on it. Edit it to ‘True’.
Click ‘Ok’.
Now that we edited that value to ‘true’, if the user’s password expires they will be prompted to change their password. That’s handy, right!? Well, if you liked that, then let me tell you that it is possible to go one step further and make a link on the main page for them to reset their password, anytime.
Open the following folder: %windir%\Web\RDWeb\
Since we are going to be editing stuff here, make a backup copy of the “Pages” folder.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Right-click on the file “login.aspx” and select ‘Edit’.
With the file open, press “Ctrl+F” and then search for “userpass”.
Scroll down under the table that “userpass” is in. This is where we want to add our password reset link. Copy the code below and paste it into your file, then save and close it.
<tr>
<td align="right">
Click <a href="password.aspx" target="_blank">here</a> to reset your password.
</td>
</tr>
Reload the page in your browser to view the password reset link.
Change “Domain\user name” to “Email”
At the Web Access login page, I like to change the prompt for “Domain\user name” to “Email Address”. Call me cynical, but I find that users can remember their email address, but will almost always call and ask what to put as the domain. I like to just change this to what the user will understand and prevent them from needing to call me.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “login.aspx” and select ‘Edit’.
Look for “L_DomainUserNameLabel_Text” on line 21.
Change the value “Domain\\user name:” to “Email Address:”.
Look for “L_DomainNameMissingLabel_Text” on line 30.
Change the value “You must enter a valid domain name.” to “You must enter a valid email address.”
Save and close the file.
Reload the page in your browser to view the change.
Change the “Work Resources” text on the Login page
This will let you customize the text displayed with your logo in the upper left corner of the RDWeb login page.
Open an administrator PowerShell window on the RD Connection Broker.
Enter the following command: Set-RDWorkspace -Name "<YourBrandingHere>"
Reload the page in your browser to view the change.
Changing the RD Logos
You can brand your RD Web Access page with your company logo. There are two logos you can change. One is in the upper left corner, and the other one is smaller and in the upper right corner.
Take your logo image and resize it into two .png files with the names and dimensions specified below;
logo_01.png – 16pixels x 16pixels
logo_02.png – 48pixels x 48pixels
Now open the folder: %windir%\Web\RDWeb\Pages\images\
Make sure that you have already made a backup copy of the “Pages” folder.
Copy and paste the your logo image files into this folder.
Open IIS and restart the service.
Reload the page in your browser to view the change.
The “logo_01.png” file will replace the icon in the upper right corner.
The “logo_02.png” file will replace the icon in the upper left corner.
Change the “To protect against” message
This is the message on the login page that is beneath the “Sign In” button. You can customize it to your own message.
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “login.aspx” and select ‘Edit’.
Look for “L_TSWATimeoutLabel_Text” on line 43.
Modify that value there to include your custom message.
Save and close the file.
Reload the page in your browser to view the change.
Change the RD Workspace name and other text
You can customize other text displayed on your RDWeb login page. Things like the page title and other small branding type changes…
Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “RDWAStrings.xml” and select ‘Edit’.
Make changes as desired to reflect what you want displayed;
PageTitle, line 3
HeadingRDWA, line 10
HeadingApplicationName, line 11
Help, line 12
Reload the page in your browser to view the change.
Note: Chrome based browsers like to cache these… Use a private browsing tab, or flush your browser cache if the changes are not appearing after reloading the page.
Remove ‘Help’ Link
This will remove the ‘Help’ link on the RDWeb login page that links to this MS documentation.
Now open the folder: %windir%\Web\RDWeb\Pages\
Make sure that you have already made a backup copy of the “Pages” folder.
Right-click on the file “site.xsl” and select ‘Edit’.
Press ‘Ctrl+G’ and enter 150, to go to line 150
Select and then delete lines 150-158.
Open IIS and restart the service.
Reload the page in your browser to view the change.
Change the Server Logo on Login Page
You can remove the “Server 2012” or “Server 2016” or “Server 2019” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It won’t do much overall… But perhaps it’ll make a malicious person have to work a tad bit harder to determine what you’re OS you are on.
Replace the following image: %windir%\web\rdweb\pages\images\WS_h_c.png
Change the Microsoft Logo on Login Page
You can remove the “Microsoft” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It doesn’t hurt anything being there, but if you’re cleaning up and editing the branding of your site, why would you leave this logo on it?
Replace the following image: %windir%\web\rdweb\pages\images\mslogo_black.png
If I come across other customization tips I’ll add them here…
BGinfo is a great utility/tool that I really like and I literally have on every server I deploy. It is totally customize-able and able to display whatever system information that you feel is important to you, right on the desktop background making it easy to see at a glance. It could be used to display anything from the server’s name, IP addresses, hard drive usage, memory usage, OS version, or even the user that you are currently logged in as.
Create a folder, c:\utilities\, and make sure that all users have read and write access to it.
Move the BGInfo utility into the c:\utilities\ folder. I also like to place any other Sysinternals utilities that I am using into this c:\utilities\ folder.
Run the BGinfo utility and take a few minutes to configure what information you wish to be displayed on your background. Then save your configuration to the c:\utilities\ folder.
Create a shortcut to either Bginfo.exe (if you are on a 32-bit machine) or Bginfo64.exe (if are on a 64-bit machine).
Edit the target of that shortcut to include the name of your BGinfo configuration file. In the picture below I’ve named mine “c:\utilities\mybgconfig.bgi”.
A few more handy suggestions to include in your shortcut’s target are:
/timer:0 – to avoid the typical UI popup
/nolicprompt – to make sure new users are not prompted with the EULA
/silent – to silence and errors
Which would result with the target field looking like:
Follow my article about finding the startup folder in Windows, and make a copy of your shortcut into that startup folder. I prefer to copy the shortcut to the “Common Startup” folder, that way it will launch for any user that logs into the machine… But it’s up to you if you want to put it in the “User Startup” or “Common Startup” folder.
Now it’s time to test it out! Try logging out and then logging back in.
In recent years Microsoft has moved around where they “hide” the startup folder. That’s the folder that gets used to launch applications that start automatically when the user logs in. It’s not necessary hard to find, but it is well hidden.
There’s actually two places that startup folder lives. Each user has their own startup folder that will launch programs specific to that user. And there is also a common startup folder which will launch programs for any and all users that log into that machine.
How to find the users’ individual startup folder
Right click on the start menu and select ‘Run’.
Type “shell:startup” and click ok.
The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.
If you need to manually dive thru folders to get to the user’s startup folder, go to, but remember to change “<USER>” to the one you’re looking for:
Most companies will use a certificate to sign their applications before they release their software to the world. This helps the user know to that the software they are running actually came from the software vendor, and hasn’t been altered or changed by someone.
Certificates are based on key pairs. There is a public key, and a private key. In terms of digitally signing an application, the public key is often just referred to as the Certificate.
How it works, in simpified terms… The software vendor holds a private key, and they guard it, keeping it safe in their organization. You can also think of is their fingerprint that they’ll use when signing something as it is unique. The public key is what we can see. Using a hash in the digitally signed application, we can use their public key, to see is if the hash value can be verified. If it checks out then we know that the digital signature is valid. If it doesn’t, well then we know the signature has been altered.
The I’ll show you below how you can pull the public half of the Certificate from an application. In this example we’ll pull Adobe’s certificate from Adobe Reader DC.
Right click on the application you want the signature of and select “Properties”
Click the “Digital Signature” tab, select the signature, then click the “Details” button.
Note: If you do not see the “Digital Signature” tab, then the file is not digitally signed.
Click the “View Certificate” button.
Click the “Details” tab and then select the “Copy to File” button.
Follow the “Certificate Export Wizard”.
After completing the export wizard, you’ll have the digital signature certificate of the digitally signed application.
Was beginning the introduction of Windows Server 2019 to a work environment and ran into some hurdles that were easily cleared, but want to share…
To begin with, you need to have a Volume Licensing agreement with Microsoft. We did and so I jumped into the MS Volume Licensing Service Center (VLSC) portal to grab our Client Specific Volume License Key (CSLVK) Key Management Service (KMS) key.
The CSLVK KMS key is what gets loaded into the KMS server. It’s basically your volume license key that gets hosted internally. The servers and desktops then use a Generic Volume License Key (GVLK) which let the machine know it needs to find and activate against an internal KMS resource and not go out to activate against Microsoft’s servers.
Apparently even if you have the Volume Licensing agreement, MS doesn’t automatically issue the CSLVK KMS key to you in your portal. You actually have to call them, verify some info, and have them generate a key for you which will then show up in your portal. The whole process took just under 5 minutes for me, and I was able to verify that I saw the key in my portal while I was still on the phone with MS.
To contact them I called 1-866-230-0560, option 4, option 1. That got me directly in contact with a representative that was able to issue the key. (Note: Menu options may change, I called in February 2020)
Jumping back into my KMS server, i tried to import the key directly into VAMT, also known as the Volume Activation Management Tool. This failed. I tried a couple more times, I even reinstalled the VAMT tool from the ADK toolkit. Nothing worked. Apparently though, I found out that this is a know issue. https://docs.microsoft.com/en-us/windows/deployment/volume-activation/vamt-known-issues
The workaround was to the slmgr.vbs tool. Entering the command below, allowed it to get added successfully. Replacing <CSVLK> with my actual key issued by MS. After entered, you’ll see a pop-up message stating that the key has been successfully added.
slmgr.vbs /ipk <CSVLK>
Once I had added my CSLVK, I was able to jump back into a new Windows Server 2019 virtual machine that I had created and use the slmgr.vbs command below to successfully activate the new virtual machine against my KMS server.
