?
Solved

Windows Server 2003 - Lock a userid down to access only one specific DC via RDP

Posted on 2007-04-04
3
Medium Priority
?
244 Views
Last Modified: 2013-11-21
Here is my situation:
We have about twenty remote sites that have a single windows 2003 R2 server. The server is a DC on our corporate domain. We have several DC's at corporate. Our application vendor needs a domain admin id to remote in and work (total BS IMHO, but lets move on) when things break in their app.
My first thought was this: I'll create a seperate ID for each remote location and disable them all. When the vendor needs in, I will enable the id that corresponds to that server. I will use the server local security policy to make sure only that id (and our own admins) can hit the box via RDP.
The problem is there is NO local security policy specific to the DC. Since its a DC it shares the domain controller security policy and doesn't have one of its own. So if I use that, you get access to all DC's, or none. Once any of the twenty userid's is enabled, the user of that ID can log into any DC via RDP, including the corporate DC's.

My million dollar  question:
How do I lock down a userid with domain admin credentials so that when its enabled, it can only log on to one specific DC via RDP, and NO other DC's. I know there are plenty of other security issues since they can get into AD and what not, but at least locking them down to one DC helps a little.

Or even better: How would you handle this request from a vendor? We have twenty DC's that the vendor may need to log in to fix their app.  What type of userid would you create with what type of permissions? The vendor will need to get into AD, preferably on a read-only basis.
0
Comment
Question by:Neil2526
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 900 total points
ID: 18852271
Select the userid in AD users and computers, load the properties.
Select the Account TAB
Click the Log on to button
Add the one DC name.

That will restrict that user to that one machine,.
0
 
LVL 12

Assisted Solution

by:RWrigley
RWrigley earned 100 total points
ID: 18855193
THe concept of a "Domain Admin" doesn't really exist in AD 2003;it just refers to a user with full permissions.  Unlike the old NT style, there is no "God" account.

Which means that you should insist that your application vendor give you a more specific list of what resources they need access too.  Asking for full domain access is unreasonable in this day and age; security is too imporant to be undermined by such sloppy requirements.

One thing you can do is set up "sites" in the AD, and specify a specific user have admin style privleges over that site.  Same thing with OU's; you can add all the servers, computers and users from a given site into a OU, and specify a set of users that are "admin" to all the objects within it.  
0
 

Author Comment

by:Neil2526
ID: 18878329
How could I have missed the "Log on To" button! Thank you. You also make a good point Wrigley. We have decided to give them a more restricted group we have created and we will deal with whatever issues arise.

In combination with the "Log on To"/"Logon Hours" parameters they are locked down nicely.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question