Create WMI filter that will identify devices for each tier. In the article three tiers are used, domain controllers, servers and workstations. This provides a balance between security and simplification but this can easily be extended to other devices or server types.
Create a group for each tier. This will hold the members for each tier.
Create a group policy for each tier. It should filter based on the tier type and will contain the allow/deny rules.
Finally, add your dedicated DA accounts to tier 0 group, dedicated server administrators accounts to tier 1 group. Accounts will now only be able to log in locally or via RDP if they are meant for the specific tier
Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (5)
Commented:
What's the example purpose of separating the AD object in a tier?
Author
Commented:Commented:
So do I just implement the Group Policy Preference above ?
Author
Commented:Commented: