• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

Windows Server 2003 - Lock a userid down to access only one specific DC via RDP

Here is my situation:
We have about twenty remote sites that have a single windows 2003 R2 server. The server is a DC on our corporate domain. We have several DC's at corporate. Our application vendor needs a domain admin id to remote in and work (total BS IMHO, but lets move on) when things break in their app.
My first thought was this: I'll create a seperate ID for each remote location and disable them all. When the vendor needs in, I will enable the id that corresponds to that server. I will use the server local security policy to make sure only that id (and our own admins) can hit the box via RDP.
The problem is there is NO local security policy specific to the DC. Since its a DC it shares the domain controller security policy and doesn't have one of its own. So if I use that, you get access to all DC's, or none. Once any of the twenty userid's is enabled, the user of that ID can log into any DC via RDP, including the corporate DC's.

My million dollar  question:
How do I lock down a userid with domain admin credentials so that when its enabled, it can only log on to one specific DC via RDP, and NO other DC's. I know there are plenty of other security issues since they can get into AD and what not, but at least locking them down to one DC helps a little.

Or even better: How would you handle this request from a vendor? We have twenty DC's that the vendor may need to log in to fix their app.  What type of userid would you create with what type of permissions? The vendor will need to get into AD, preferably on a read-only basis.
0
Neil2526
Asked:
Neil2526
2 Solutions
 
PberSolutions ArchitectCommented:
Select the userid in AD users and computers, load the properties.
Select the Account TAB
Click the Log on to button
Add the one DC name.

That will restrict that user to that one machine,.
0
 
RWrigleyCommented:
THe concept of a "Domain Admin" doesn't really exist in AD 2003;it just refers to a user with full permissions.  Unlike the old NT style, there is no "God" account.

Which means that you should insist that your application vendor give you a more specific list of what resources they need access too.  Asking for full domain access is unreasonable in this day and age; security is too imporant to be undermined by such sloppy requirements.

One thing you can do is set up "sites" in the AD, and specify a specific user have admin style privleges over that site.  Same thing with OU's; you can add all the servers, computers and users from a given site into a OU, and specify a set of users that are "admin" to all the objects within it.  
0
 
Neil2526Author Commented:
How could I have missed the "Log on To" button! Thank you. You also make a good point Wrigley. We have decided to give them a more restricted group we have created and we will deal with whatever issues arise.

In combination with the "Log on To"/"Logon Hours" parameters they are locked down nicely.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now