Solved

restrict remote desktop for administrator

Posted on 2006-10-20
23
829 Views
Last Modified: 2013-11-21
I would like to switch off the remote desktop for administrator account ( he is domain admin enterprise admin......) Is that possible and how. The os is windows server 2003.
J0K0
0
Comment
Question by:josefkocarek
  • 7
  • 5
  • 4
  • +4
23 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 17774819
You could turn off remote desktop for the server.  Right click My computer, Properties, Remote tab.  Uncheck the Enable Remote Desktop on this computer check box.  This will turn it off for everyone.  Otherwise the Administrator is implicitly authorized to all functions on the server.
0
 

Author Comment

by:josefkocarek
ID: 17774848
I don't want to turn it off. I have other users accesing the server. I just need to turn off the admin. There is person which knows the password and I am affraid that they would cause demage to the system.

J0K0
0
 
LVL 38

Expert Comment

by:younghv
ID: 17774890
Hi josefkocarek,
If someone has the "domain admin enterprise admin" there is nothing you can do that will effectively stop him for very long.
This problem will not be solved with 'configuration'.
You need to get the authorization to change the password and make sure you trust whoever gets it.


Vic
0
 

Author Comment

by:josefkocarek
ID: 17774937
The person doesn't have access accept over remote desktop. So there is not policy or any other way to restrict the user to access over RD?

J0K0
0
 
LVL 38

Expert Comment

by:younghv
ID: 17774994
J0K0,
The expression "domain admin enterprise admin" really says it all.
Anyone with access to that account is completely unrestricted in what they can do to every object in the Enterprise.

You may get some suggestions on 'tweaks' and 'fixes' that can temporarily block him, but then all you're going to do is piss him off.

Then you have someone with total control over every computer in your network/domain/enterprise -- and he is mad.
Not a good situation for you.

You really need to deal  with this from a management/policy level.

Not what you wanted to hear, but it is the real answer.

Vic
0
 
LVL 18

Expert Comment

by:Don S.
ID: 17775012
Even if you could restrict the server's RD from the Administrator, they could always just install the Remote Admin toolkit and between that and mapping to the admin shares on the server, do anything they want anyway.

Change the password and deal with it at the personel management level.
0
 
LVL 2

Expert Comment

by:sphbecker
ID: 17775022
There is nothing you can do to prevent his access show of removing the server from the domain.  You can open the Local Security Policy and add his account to the Deny logon through Terminal Services policy.  You could also remove Domain Admins group from the computer's local Administrator's group, but if he is halfway knowledgeable in Active Directory he will be able to override those changes very easily by assigning a group policy to the server.
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17775248
Yeah, no good solution from an IT point of view other than to take the permissions away if you don't trust him.  What good is it to block him from RDP if he can still have access to \\servername\C$\ ?  Not to mention management console utils (ie services!).
0
 
LVL 25

Expert Comment

by:Ron M
ID: 17777036
Enterprise admin automatically has FULL control over all pc's/servers on the domain.  The most you could do is create an annoyance, but you would not be able to prevent the Enterprise Admin from remotely adminstering any machines that are joined to the Domain.

Enterprise Admin is king of the domain.
0
 

Author Comment

by:josefkocarek
ID: 17777242
He is not localy in the building where the server is. He could only access from outside. I like the idea to add him to deny logon..... policy as sphbecker mentioned. Can I do it without removing the server from Domain. The server is the dc and the router redirects the rd traffic to this server.
J0K0
0
 
LVL 2

Expert Comment

by:sphbecker
ID: 17777338
If the server is the DC then you would have to use the Domain Controller Security Policy (DCs do not have local security at all), and doing so would effect all Domain Controllers.

I really don't think this is going to do much.  If he tried to log in he would be shown a message stating that the security policy prevents him from connecting to this session (or something like that), he could change that DC Sec Polity in about 2 minutes and have access again.

You should really evaluate why this person has Ent Admin rights if you don't want him to have access to servers.  You might want to create a new group called Desktop Support and then use a Computer Startup Script to add it too the local admins group of all your XP Workstations.  That would allow his to have admin rights to the desktops without putting him in a position to mess up servers.  You could also delegate whatever access you want him to have to that group.  AD has incredible delegation ability.  For example, I’m not a Domain Admin at all, but I have domain admin like authority over resources in my division.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:josefkocarek
ID: 17778004
How can he change the GP setting if he can't login remotly. He doesn't have access to the building. He was fired.
I think your idea with the GP restriction will solve the problem
J0K0
0
 
LVL 2

Expert Comment

by:sphbecker
ID: 17778026
The GP setting could be changed using any computer on the network, not just a server.  I would really consiter changing that password if I were you.  If the only possible way he can connect to your network at all is via remote desktop then making that policy change would work.  In that case I would make the change on the Default Domain Security Policy, that way he would not be able to connect to any workstation/server.  Make sure you test and are happy with the results.
0
 
LVL 38

Expert Comment

by:younghv
ID: 17778051
J0K0,
You keep trying to find a way to argue with the advice I first gave you several hours ago.
What you want to do can not be done.
No matter how many times you ask the question, it cannot be done.

Change the password (as I suggested about 8 hours ago) and secure your network from this first employee.

This guy represents a huge danger to your entire network/domain/enterprise.

I've been doing Network Security for a lot of years and that password would have been changed about 30 seconds after I found out he was fired.

The longer you wait, the more chance this guy is going to do something really bad.


Vic
0
 
LVL 1

Accepted Solution

by:
chekfu earned 500 total points
ID: 17778434
Deny Administrator RPC, simply go ADUC, go properties of Administrator, select "Terminal ... " tab, tick the option "deny....."
0
 
LVL 38

Expert Comment

by:younghv
ID: 17779640
J0K0,
Your selection of the first answer that agreed with what you wanted to hear is really no surprise, but think about what you just did.

For over 8 hours, several different people (with a lot of experience) repeatedly tried to explain to you why you cannot lock out the Domain Administrator account.

Try actually thinking about your question.

Do you think it is in any way conceivable that the primary (native) Administrator account could POSSIBLY be locked out of a network function by ANY form of configuration?

IF that were possible, can you imagine the huge hole that creates in network security? Any user on the domain could sit at their work station, run a 'privilege elevation hack' and shut down/take over the entire domain.

After thinking about that for a while, think about chekfu's answer. It doesn't really matter what configuration change you (temporarily) make on that account, as soon as the guy logs back in, he can re-configure.

Do the right thing and re-open this question for some more input - and this time - listen to all the explanations, not just what you want to hear.


Vic
0
 

Author Comment

by:josefkocarek
ID: 17780594
Vic
Thanks for your input. This guy will never have access to the office building. So the only way he can log in is over RD. I just prohibited him to do that. He doesn't know any other account in the system. I am the admin and I gave him the access just to fix something. I don't know how he can do any demage. I am ready to hear your advice. Please tell me how can he do it if the ounly access is over the "internet" and I have just stoped him.
J0K0
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17790625
I would never grant anyone's regular daily use account admin rights to the domain or even local machine.  I don't even have admin rights to my own workstation.  If he is, all he has to do is open his account in ADU&C, temporarily check back that little "allow logon to terminal server" and login and do what he needs, then go back and uncheck it.  How are you going to know?  You'll be none the wiser.

If anything, if he MUST be admin, it should only be under local admins of the machine he needs access to.  Otherwise you should seriously look into how to delegate control so you aren't just handing over the master skeleton key to your kingdom.  Just because you don't know how he can do any damage doesn't mean he can't.  Sometimes the most dangerous users are those who know just enough to be dangerous (and then are given the rights TO BE dangerous).
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17790680
PS - If he is domain/enterprise admin, his only access is not over terminal services (which you referred to as the Internet).  That should be among the least of your worries.  He could also connect to your server (and any other workstation/server on your domain including those at your facility) simply by opening a Run dialogue box and typing \\computername\C$.  He can also access and edit the registry of any machine on your domain.

I would learn how to delegate control, then give him access to ONLY those functions he needs to do his job.

Step-by-Step Guide to Using the Delegation of Control Wizard - Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/kb/315676
0
 

Author Comment

by:josefkocarek
ID: 17792942
You have probably not understood that he doesn't have access to the building and so he can only access the network over internet (terminal services). So why are you mentioning workstions, run dialogbox .... ADUC. That is not relevant
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17796696
What are you on more than one domain?  Does he not login to your domain from the remote office?  Looking at your other questions, I would hazard to guess that he does.

"I have one domain that spans 3 sites  I want to place domain controlers in every site. How do I configure the roles of the dc's in the sites and also how do I configure the sites and their connection for replication purposes in AD sites and services."

Well, if that's the case and he is domain admin, then ADU&C is relevant as were the other things I mentioned.   All he has to do is create a new user and assign admin rights to it and leave that little "allow logon to terminal server" enabled on that acct and not on his.  He could probably be creative and make the username something that wouldn't stand out.  You run MS Exchange (I know from your other questions), so postmaster or something.  Would you delete a postmaster account?  Would you even mess with its settings?

I'm not trying to give you a hard time, I'm just a little concerned.  At best you are not following "best practices" and at worst you have just handed over your entire domain to this guy.  Ignorance isn't bliss in either situation.  I'll just leave it at that.  
0
 
LVL 4

Expert Comment

by:expexchuser
ID: 17796911
Hillarious.  Something just didn't feel right with all this so I went back through and read all posts again and came across this comment:

"He was fired."

Unreal.  My bad for not catching it before, and Vic was right from the start.  All you have to do is revoke his account and/or reset the password.  That should have been done as soon as Elvis left the building.  I would be careful who I give admin rights going forward.  Look into how delegation works.
0
 

Author Comment

by:josefkocarek
ID: 17800853
That guy was installing SQL server so he needed to login as admin. I was waiting on the right answer and Vic gave it to me "Vic is the man". Anyway thanks all of you gentleman for your comments.
J0K0
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now