Solved

Windows Server 2003 - Lock a userid down to access only one specific DC via RDP

Posted on 2007-04-04
3
240 Views
Last Modified: 2013-11-21
Here is my situation:
We have about twenty remote sites that have a single windows 2003 R2 server. The server is a DC on our corporate domain. We have several DC's at corporate. Our application vendor needs a domain admin id to remote in and work (total BS IMHO, but lets move on) when things break in their app.
My first thought was this: I'll create a seperate ID for each remote location and disable them all. When the vendor needs in, I will enable the id that corresponds to that server. I will use the server local security policy to make sure only that id (and our own admins) can hit the box via RDP.
The problem is there is NO local security policy specific to the DC. Since its a DC it shares the domain controller security policy and doesn't have one of its own. So if I use that, you get access to all DC's, or none. Once any of the twenty userid's is enabled, the user of that ID can log into any DC via RDP, including the corporate DC's.

My million dollar  question:
How do I lock down a userid with domain admin credentials so that when its enabled, it can only log on to one specific DC via RDP, and NO other DC's. I know there are plenty of other security issues since they can get into AD and what not, but at least locking them down to one DC helps a little.

Or even better: How would you handle this request from a vendor? We have twenty DC's that the vendor may need to log in to fix their app.  What type of userid would you create with what type of permissions? The vendor will need to get into AD, preferably on a read-only basis.
0
Comment
Question by:Neil2526
3 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 225 total points
ID: 18852271
Select the userid in AD users and computers, load the properties.
Select the Account TAB
Click the Log on to button
Add the one DC name.

That will restrict that user to that one machine,.
0
 
LVL 12

Assisted Solution

by:RWrigley
RWrigley earned 25 total points
ID: 18855193
THe concept of a "Domain Admin" doesn't really exist in AD 2003;it just refers to a user with full permissions.  Unlike the old NT style, there is no "God" account.

Which means that you should insist that your application vendor give you a more specific list of what resources they need access too.  Asking for full domain access is unreasonable in this day and age; security is too imporant to be undermined by such sloppy requirements.

One thing you can do is set up "sites" in the AD, and specify a specific user have admin style privleges over that site.  Same thing with OU's; you can add all the servers, computers and users from a given site into a OU, and specify a set of users that are "admin" to all the objects within it.  
0
 

Author Comment

by:Neil2526
ID: 18878329
How could I have missed the "Log on To" button! Thank you. You also make a good point Wrigley. We have decided to give them a more restricted group we have created and we will deal with whatever issues arise.

In combination with the "Log on To"/"Logon Hours" parameters they are locked down nicely.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Learn about cloud computing and its benefits for small business owners.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question