Is my host protected against RestrictedAdmin?

This chain will stage a RestrictedAdmin binary from Operator and use it to enumerate and adjust the Restricted Admin mode.

Is my host protected against RestrictedAdmin?

Restricted Admin Mode was implemented in Windows 8.1 to prevent credentials from being exposed over RDP. While well-intended, this brought the ability to pass-the-hash to RDP.

While Restricted Admin Mode is not enabled by default on systems, we can enable it by setting the value of DisableRestrictedAdmin to 0 at HKEYLOCALMACHINE\System\CurrentControlSet\Control\Lsa. In order to do this remotely, we could use remote registry, however, this is not always enabled on systems (particularly workstations). Instead, we can use the StdRegProv WMI class to flip this value remotely. This approach was later expanded by @airzero24 in his WMIReg project.

RestrictedAdmin is available for download from GhostPack.


Execute Is my host protected against RestrictedAdmin? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a RestrictedAdmin binary from Operator and use it to enumerate and adjust the Restricted Admin mode.


Microsoft has provided a list of steps to enable and require RestrictedAdmin on all outbound RDP requests. More information can be found here

Steps to require all outbound Remote Desktop requests to use RestrictedAdmin mode:

  • Open Group Policy Management Console: click Start, click Run, type gpmc.msc, and then click OK.
  • Select the group policy which best applies to the systems from which you will initiate Remote Desktop connections.
  • Edit the Group Policy and navigate to the following node:
Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation
  • Configure the value of “Restrict delegation of credentials to remote servers” to Enabled.

This setting will take effect when Group Policy refreshes. To immediately refresh group policy, open an elevated command prompt and enter the following text:

Gpupdate.exe /target:computer /force

You should also restrict access to Group Policy by opening the following policy setting in your GPO:

  • Computer Configuration\Administrative Templates\System\Group Policy\Registry Policy Processing

Enable this policy setting and select the checkbox labeled Process even if the Group Policy objects have not changed. This will force Group Policy settings to be reapplied to target computers even when the actual settings within a GPO haven’t changed.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:
See the latest kill chain and TTP Releases:
See our open-source repositories:

Join our community


Read, watch, and listen

Listen to our Podcast:
Read our blog:
Watch our live streams:
Watch our pre-recorded content:

Follow our team


Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Enumerate Restricted Admin mode with RestrictedAdmin
Enable Restricted Admin mode using RestrictedAdmin