Windows Server 2003 - Lock a userid down to access only one specific DC via RDP

Here is my situation:
We have about twenty remote sites that have a single windows 2003 R2 server. The server is a DC on our corporate domain. We have several DC's at corporate. Our application vendor needs a domain admin id to remote in and work (total BS IMHO, but lets move on) when things break in their app.
My first thought was this: I'll create a seperate ID for each remote location and disable them all. When the vendor needs in, I will enable the id that corresponds to that server. I will use the server local security policy to make sure only that id (and our own admins) can hit the box via RDP.
The problem is there is NO local security policy specific to the DC. Since its a DC it shares the domain controller security policy and doesn't have one of its own. So if I use that, you get access to all DC's, or none. Once any of the twenty userid's is enabled, the user of that ID can log into any DC via RDP, including the corporate DC's.

My million dollar  question:
How do I lock down a userid with domain admin credentials so that when its enabled, it can only log on to one specific DC via RDP, and NO other DC's. I know there are plenty of other security issues since they can get into AD and what not, but at least locking them down to one DC helps a little.

Or even better: How would you handle this request from a vendor? We have twenty DC's that the vendor may need to log in to fix their app.  What type of userid would you create with what type of permissions? The vendor will need to get into AD, preferably on a read-only basis.
Neil2526Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
Select the userid in AD users and computers, load the properties.
Select the Account TAB
Click the Log on to button
Add the one DC name.

That will restrict that user to that one machine,.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RWrigleyCommented:
THe concept of a "Domain Admin" doesn't really exist in AD 2003;it just refers to a user with full permissions.  Unlike the old NT style, there is no "God" account.

Which means that you should insist that your application vendor give you a more specific list of what resources they need access too.  Asking for full domain access is unreasonable in this day and age; security is too imporant to be undermined by such sloppy requirements.

One thing you can do is set up "sites" in the AD, and specify a specific user have admin style privleges over that site.  Same thing with OU's; you can add all the servers, computers and users from a given site into a OU, and specify a set of users that are "admin" to all the objects within it.  
0
Neil2526Author Commented:
How could I have missed the "Log on To" button! Thank you. You also make a good point Wrigley. We have decided to give them a more restricted group we have created and we will deal with whatever issues arise.

In combination with the "Log on To"/"Logon Hours" parameters they are locked down nicely.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.