[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How can i restrict the domain admin to login

Posted on 2007-07-31
14
Medium Priority
?
308 Views
Last Modified: 2010-03-05
Hi,

How can i restict the domain admistrator logging to my machine through console or Mstsc.

Regards
Sharath
0
Comment
Question by:bsharath
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19602321
          Hi Sharath
                   In your local computer (that you dont want administrator to log in),
                    *Start>Run>gpedit.msc
                    *In left-pane expand Computer configuration>windows settings>security settings>Local policies>User rights assignment.
                    *In right-pane double-click "Deny logon through Terminal services" and add domain administrator user (not administrators group). Do the same for "Deny logon locally" policy.

Regards
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19602330
Hi bsharath,

You can't! You can not use any restriction on domain admins. If you would follow certain procedure to implement restriction, domain admin only has to follow the same procedure (in reverse order) to overcome restriction.

HTH

Toni
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19602343
Mr. Husy, every GPO setting overrides local policy settings, so there is no point to set local policies.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19602425
       Hi Toni
             Then how can I apply this successfully in my domain?
Regards
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19602441
That's the point. You can't. There is no way to lock out domain admins from anything.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19602470
     I think I couldn't express myself. I mean "This works in my domain successfully atm". And for testing, I did the steps I mentioned on a computer and can not log on with admin account. This works fine here

?
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19602521
Now go to DC create GPO and link it to the OU with computer accounts. Set GPO to allow logon  localy and through RDP for domain admins. Didn't you (domain admin) just override local settings?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19602808
        Of course if I apply GPO to computer accounts , local policy gets overriden. But this is valid for only. GPOs that are applied to computer accounts. "every GPO setting overrides local policy settings" statement is wrong.
          Assuming that Sharath does not have a policy defined to computer accounts (that is what I assume) or GPO assigned to computer accounts but allow logon locally and allow logon through TS is  not defined or no override is checked, my above solution works

Regards
         
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19602896
First: There is the Default Domain Policy which is always in place.
Second: The question is about locking domain admins out of your system - I will repeat that is not possible. For every procedure you come up to lock me out (as domain admin), I will respond with work around procedure.

No ofence, but ther is an excellent saying: "Assumption is the mother of all f*ck ups."
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19603042
        Hi toni
               "For every procedure you come up to lock me out (as domain admin), I will respond with work around procedure." That sentence clears things out :). Sharath is already a domain admin (I know from his previous questions).
             I wrote the way above, if this is necessary for a computer, he has the rights to apply it (for example to manager's computer).
             It would be really funny if I was defending the idea of "a random user can deny the logon of domain admin".
           

               

             
0
 
LVL 4

Expert Comment

by:amajidkh
ID: 19604780
try a free software by 2X works a treat on terminal server will do the same on workstation:

http://www.2x.com/securerdp/download.htm however this wil only work for MSTSC by console do you mean locally? actually at the terminal?
0
 
LVL 11

Author Comment

by:bsharath
ID: 19606160
MrHusy
I tried your first step and i checked as a domain admin i am not able to login to my machine through mstsc or from the console.
I dont have any GPO set for my computers.
One more Q .If i need to block any one from logging in to my machine either through Mstsc or console.Only my name i shoulfd be able to login.How do i do this.
And as a domain admin if i need to overide such case for users who have done this restriction how can i reset them remotely
0
 
LVL 11

Author Comment

by:bsharath
ID: 19614395
Any comments...
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 19615454
          Hi Sharath
               "If i need to block any one from logging in to my machine either through Mstsc or console.Only my name i shoulfd be able to login.How do i do this."
                   For achieving this,
                *Start>Run>gpedit.msc
                    *In left-pane expand Computer configuration>windows settings>security settings>Local policies>User rights assignment.
                    *In right-pane double-click "Allow logon through Terminal services" and remove all entries there and only add your username. Do the same for "Log on locally"

Regards
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question