[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows Server 2003 - Lock a userid down to access only one specific DC via RDP

Posted on 2007-04-04
3
Medium Priority
?
247 Views
Last Modified: 2013-11-21
Here is my situation:
We have about twenty remote sites that have a single windows 2003 R2 server. The server is a DC on our corporate domain. We have several DC's at corporate. Our application vendor needs a domain admin id to remote in and work (total BS IMHO, but lets move on) when things break in their app.
My first thought was this: I'll create a seperate ID for each remote location and disable them all. When the vendor needs in, I will enable the id that corresponds to that server. I will use the server local security policy to make sure only that id (and our own admins) can hit the box via RDP.
The problem is there is NO local security policy specific to the DC. Since its a DC it shares the domain controller security policy and doesn't have one of its own. So if I use that, you get access to all DC's, or none. Once any of the twenty userid's is enabled, the user of that ID can log into any DC via RDP, including the corporate DC's.

My million dollar  question:
How do I lock down a userid with domain admin credentials so that when its enabled, it can only log on to one specific DC via RDP, and NO other DC's. I know there are plenty of other security issues since they can get into AD and what not, but at least locking them down to one DC helps a little.

Or even better: How would you handle this request from a vendor? We have twenty DC's that the vendor may need to log in to fix their app.  What type of userid would you create with what type of permissions? The vendor will need to get into AD, preferably on a read-only basis.
0
Comment
Question by:Neil2526
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 900 total points
ID: 18852271
Select the userid in AD users and computers, load the properties.
Select the Account TAB
Click the Log on to button
Add the one DC name.

That will restrict that user to that one machine,.
0
 
LVL 12

Assisted Solution

by:RWrigley
RWrigley earned 100 total points
ID: 18855193
THe concept of a "Domain Admin" doesn't really exist in AD 2003;it just refers to a user with full permissions.  Unlike the old NT style, there is no "God" account.

Which means that you should insist that your application vendor give you a more specific list of what resources they need access too.  Asking for full domain access is unreasonable in this day and age; security is too imporant to be undermined by such sloppy requirements.

One thing you can do is set up "sites" in the AD, and specify a specific user have admin style privleges over that site.  Same thing with OU's; you can add all the servers, computers and users from a given site into a OU, and specify a set of users that are "admin" to all the objects within it.  
0
 

Author Comment

by:Neil2526
ID: 18878329
How could I have missed the "Log on To" button! Thank you. You also make a good point Wrigley. We have decided to give them a more restricted group we have created and we will deal with whatever issues arise.

In combination with the "Log on To"/"Logon Hours" parameters they are locked down nicely.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question