josefkocarek
asked on
restrict remote desktop for administrator
I would like to switch off the remote desktop for administrator account ( he is domain admin enterprise admin......) Is that possible and how. The os is windows server 2003.
J0K0
J0K0
Don S.
You could turn off remote desktop for the server. Right click My computer, Properties, Remote tab. Uncheck the Enable Remote Desktop on this computer check box. This will turn it off for everyone. Otherwise the Administrator is implicitly authorized to all functions on the server.
ASKER
I don't want to turn it off. I have other users accesing the server. I just need to turn off the admin. There is person which knows the password and I am affraid that they would cause demage to the system.
J0K0
J0K0
Hi josefkocarek,
If someone has the "domain admin enterprise admin" there is nothing you can do that will effectively stop him for very long.
This problem will not be solved with 'configuration'.
You need to get the authorization to change the password and make sure you trust whoever gets it.
Vic
If someone has the "domain admin enterprise admin" there is nothing you can do that will effectively stop him for very long.
This problem will not be solved with 'configuration'.
You need to get the authorization to change the password and make sure you trust whoever gets it.
Vic
ASKER
The person doesn't have access accept over remote desktop. So there is not policy or any other way to restrict the user to access over RD?
J0K0
J0K0
J0K0,
The expression "domain admin enterprise admin" really says it all.
Anyone with access to that account is completely unrestricted in what they can do to every object in the Enterprise.
You may get some suggestions on 'tweaks' and 'fixes' that can temporarily block him, but then all you're going to do is piss him off.
Then you have someone with total control over every computer in your network/domain/enterprise -- and he is mad.
Not a good situation for you.
You really need to deal with this from a management/policy level.
Not what you wanted to hear, but it is the real answer.
Vic
The expression "domain admin enterprise admin" really says it all.
Anyone with access to that account is completely unrestricted in what they can do to every object in the Enterprise.
You may get some suggestions on 'tweaks' and 'fixes' that can temporarily block him, but then all you're going to do is piss him off.
Then you have someone with total control over every computer in your network/domain/enterprise -- and he is mad.
Not a good situation for you.
You really need to deal with this from a management/policy level.
Not what you wanted to hear, but it is the real answer.
Vic
Even if you could restrict the server's RD from the Administrator, they could always just install the Remote Admin toolkit and between that and mapping to the admin shares on the server, do anything they want anyway.
Change the password and deal with it at the personel management level.
Change the password and deal with it at the personel management level.
There is nothing you can do to prevent his access show of removing the server from the domain. You can open the Local Security Policy and add his account to the Deny logon through Terminal Services policy. You could also remove Domain Admins group from the computer's local Administrator's group, but if he is halfway knowledgeable in Active Directory he will be able to override those changes very easily by assigning a group policy to the server.
Yeah, no good solution from an IT point of view other than to take the permissions away if you don't trust him. What good is it to block him from RDP if he can still have access to \\servername\C$\ ? Not to mention management console utils (ie services!).
Enterprise admin automatically has FULL control over all pc's/servers on the domain. The most you could do is create an annoyance, but you would not be able to prevent the Enterprise Admin from remotely adminstering any machines that are joined to the Domain.
Enterprise Admin is king of the domain.
Enterprise Admin is king of the domain.
ASKER
He is not localy in the building where the server is. He could only access from outside. I like the idea to add him to deny logon..... policy as sphbecker mentioned. Can I do it without removing the server from Domain. The server is the dc and the router redirects the rd traffic to this server.
J0K0
J0K0
If the server is the DC then you would have to use the Domain Controller Security Policy (DCs do not have local security at all), and doing so would effect all Domain Controllers.
I really don't think this is going to do much. If he tried to log in he would be shown a message stating that the security policy prevents him from connecting to this session (or something like that), he could change that DC Sec Polity in about 2 minutes and have access again.
You should really evaluate why this person has Ent Admin rights if you don't want him to have access to servers. You might want to create a new group called Desktop Support and then use a Computer Startup Script to add it too the local admins group of all your XP Workstations. That would allow his to have admin rights to the desktops without putting him in a position to mess up servers. You could also delegate whatever access you want him to have to that group. AD has incredible delegation ability. For example, I’m not a Domain Admin at all, but I have domain admin like authority over resources in my division.
I really don't think this is going to do much. If he tried to log in he would be shown a message stating that the security policy prevents him from connecting to this session (or something like that), he could change that DC Sec Polity in about 2 minutes and have access again.
You should really evaluate why this person has Ent Admin rights if you don't want him to have access to servers. You might want to create a new group called Desktop Support and then use a Computer Startup Script to add it too the local admins group of all your XP Workstations. That would allow his to have admin rights to the desktops without putting him in a position to mess up servers. You could also delegate whatever access you want him to have to that group. AD has incredible delegation ability. For example, I’m not a Domain Admin at all, but I have domain admin like authority over resources in my division.
ASKER
How can he change the GP setting if he can't login remotly. He doesn't have access to the building. He was fired.
I think your idea with the GP restriction will solve the problem
J0K0
I think your idea with the GP restriction will solve the problem
J0K0
The GP setting could be changed using any computer on the network, not just a server. I would really consiter changing that password if I were you. If the only possible way he can connect to your network at all is via remote desktop then making that policy change would work. In that case I would make the change on the Default Domain Security Policy, that way he would not be able to connect to any workstation/server. Make sure you test and are happy with the results.
J0K0,
You keep trying to find a way to argue with the advice I first gave you several hours ago.
What you want to do can not be done.
No matter how many times you ask the question, it cannot be done.
Change the password (as I suggested about 8 hours ago) and secure your network from this first employee.
This guy represents a huge danger to your entire network/domain/enterprise.
I've been doing Network Security for a lot of years and that password would have been changed about 30 seconds after I found out he was fired.
The longer you wait, the more chance this guy is going to do something really bad.
Vic
You keep trying to find a way to argue with the advice I first gave you several hours ago.
What you want to do can not be done.
No matter how many times you ask the question, it cannot be done.
Change the password (as I suggested about 8 hours ago) and secure your network from this first employee.
This guy represents a huge danger to your entire network/domain/enterprise.
I've been doing Network Security for a lot of years and that password would have been changed about 30 seconds after I found out he was fired.
The longer you wait, the more chance this guy is going to do something really bad.
Vic
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
J0K0,
Your selection of the first answer that agreed with what you wanted to hear is really no surprise, but think about what you just did.
For over 8 hours, several different people (with a lot of experience) repeatedly tried to explain to you why you cannot lock out the Domain Administrator account.
Try actually thinking about your question.
Do you think it is in any way conceivable that the primary (native) Administrator account could POSSIBLY be locked out of a network function by ANY form of configuration?
IF that were possible, can you imagine the huge hole that creates in network security? Any user on the domain could sit at their work station, run a 'privilege elevation hack' and shut down/take over the entire domain.
After thinking about that for a while, think about chekfu's answer. It doesn't really matter what configuration change you (temporarily) make on that account, as soon as the guy logs back in, he can re-configure.
Do the right thing and re-open this question for some more input - and this time - listen to all the explanations, not just what you want to hear.
Vic
Your selection of the first answer that agreed with what you wanted to hear is really no surprise, but think about what you just did.
For over 8 hours, several different people (with a lot of experience) repeatedly tried to explain to you why you cannot lock out the Domain Administrator account.
Try actually thinking about your question.
Do you think it is in any way conceivable that the primary (native) Administrator account could POSSIBLY be locked out of a network function by ANY form of configuration?
IF that were possible, can you imagine the huge hole that creates in network security? Any user on the domain could sit at their work station, run a 'privilege elevation hack' and shut down/take over the entire domain.
After thinking about that for a while, think about chekfu's answer. It doesn't really matter what configuration change you (temporarily) make on that account, as soon as the guy logs back in, he can re-configure.
Do the right thing and re-open this question for some more input - and this time - listen to all the explanations, not just what you want to hear.
Vic
ASKER
Vic
Thanks for your input. This guy will never have access to the office building. So the only way he can log in is over RD. I just prohibited him to do that. He doesn't know any other account in the system. I am the admin and I gave him the access just to fix something. I don't know how he can do any demage. I am ready to hear your advice. Please tell me how can he do it if the ounly access is over the "internet" and I have just stoped him.
J0K0
Thanks for your input. This guy will never have access to the office building. So the only way he can log in is over RD. I just prohibited him to do that. He doesn't know any other account in the system. I am the admin and I gave him the access just to fix something. I don't know how he can do any demage. I am ready to hear your advice. Please tell me how can he do it if the ounly access is over the "internet" and I have just stoped him.
J0K0
I would never grant anyone's regular daily use account admin rights to the domain or even local machine. I don't even have admin rights to my own workstation. If he is, all he has to do is open his account in ADU&C, temporarily check back that little "allow logon to terminal server" and login and do what he needs, then go back and uncheck it. How are you going to know? You'll be none the wiser.
If anything, if he MUST be admin, it should only be under local admins of the machine he needs access to. Otherwise you should seriously look into how to delegate control so you aren't just handing over the master skeleton key to your kingdom. Just because you don't know how he can do any damage doesn't mean he can't. Sometimes the most dangerous users are those who know just enough to be dangerous (and then are given the rights TO BE dangerous).
If anything, if he MUST be admin, it should only be under local admins of the machine he needs access to. Otherwise you should seriously look into how to delegate control so you aren't just handing over the master skeleton key to your kingdom. Just because you don't know how he can do any damage doesn't mean he can't. Sometimes the most dangerous users are those who know just enough to be dangerous (and then are given the rights TO BE dangerous).
PS - If he is domain/enterprise admin, his only access is not over terminal services (which you referred to as the Internet). That should be among the least of your worries. He could also connect to your server (and any other workstation/server on your domain including those at your facility) simply by opening a Run dialogue box and typing \\computername\C$. He can also access and edit the registry of any machine on your domain.
I would learn how to delegate control, then give him access to ONLY those functions he needs to do his job.
Step-by-Step Guide to Using the Delegation of Control Wizard - Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/kb/315676
I would learn how to delegate control, then give him access to ONLY those functions he needs to do his job.
Step-by-Step Guide to Using the Delegation of Control Wizard - Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/kb/315676
ASKER
You have probably not understood that he doesn't have access to the building and so he can only access the network over internet (terminal services). So why are you mentioning workstions, run dialogbox .... ADUC. That is not relevant
What are you on more than one domain? Does he not login to your domain from the remote office? Looking at your other questions, I would hazard to guess that he does.
"I have one domain that spans 3 sites I want to place domain controlers in every site. How do I configure the roles of the dc's in the sites and also how do I configure the sites and their connection for replication purposes in AD sites and services."
Well, if that's the case and he is domain admin, then ADU&C is relevant as were the other things I mentioned. All he has to do is create a new user and assign admin rights to it and leave that little "allow logon to terminal server" enabled on that acct and not on his. He could probably be creative and make the username something that wouldn't stand out. You run MS Exchange (I know from your other questions), so postmaster or something. Would you delete a postmaster account? Would you even mess with its settings?
I'm not trying to give you a hard time, I'm just a little concerned. At best you are not following "best practices" and at worst you have just handed over your entire domain to this guy. Ignorance isn't bliss in either situation. I'll just leave it at that.
"I have one domain that spans 3 sites I want to place domain controlers in every site. How do I configure the roles of the dc's in the sites and also how do I configure the sites and their connection for replication purposes in AD sites and services."
Well, if that's the case and he is domain admin, then ADU&C is relevant as were the other things I mentioned. All he has to do is create a new user and assign admin rights to it and leave that little "allow logon to terminal server" enabled on that acct and not on his. He could probably be creative and make the username something that wouldn't stand out. You run MS Exchange (I know from your other questions), so postmaster or something. Would you delete a postmaster account? Would you even mess with its settings?
I'm not trying to give you a hard time, I'm just a little concerned. At best you are not following "best practices" and at worst you have just handed over your entire domain to this guy. Ignorance isn't bliss in either situation. I'll just leave it at that.
Hillarious. Something just didn't feel right with all this so I went back through and read all posts again and came across this comment:
"He was fired."
Unreal. My bad for not catching it before, and Vic was right from the start. All you have to do is revoke his account and/or reset the password. That should have been done as soon as Elvis left the building. I would be careful who I give admin rights going forward. Look into how delegation works.
"He was fired."
Unreal. My bad for not catching it before, and Vic was right from the start. All you have to do is revoke his account and/or reset the password. That should have been done as soon as Elvis left the building. I would be careful who I give admin rights going forward. Look into how delegation works.
ASKER
That guy was installing SQL server so he needed to login as admin. I was waiting on the right answer and Vic gave it to me "Vic is the man". Anyway thanks all of you gentleman for your comments.
J0K0
J0K0