zephyr_hex (Megan)
asked on
How to prevent certain domain accounts from RDP to terminal server
win 2k DC
win 2003 server running terminal services
for certain domain users, i want to prevent RDP to the server running terminal services, but not prevent RDP to their desktop computers.
under computer management, there is a Group called Remote Desktop Users. it originally had domain\users as Member, and all domain users belong to that AD group.
i created a new domain group called RDP Users, and added users that should have permission to RDP to the server. i then removed the domain\users group from the Remote Desktop Users (local group on the server) and added the new RDP Users group.
i tested by using a domain account that is not a member of RDP Users... and i can still connect to the server. if i edit that domain profile and select the option to not allow the account to use terminal services, i am unable to RDP to a desktop pc in the domain. how do i configure things so that particular domain accounts are not allowed to RDP to the server, but can still RDP to their desktop pc?
win 2003 server running terminal services
for certain domain users, i want to prevent RDP to the server running terminal services, but not prevent RDP to their desktop computers.
under computer management, there is a Group called Remote Desktop Users. it originally had domain\users as Member, and all domain users belong to that AD group.
i created a new domain group called RDP Users, and added users that should have permission to RDP to the server. i then removed the domain\users group from the Remote Desktop Users (local group on the server) and added the new RDP Users group.
i tested by using a domain account that is not a member of RDP Users... and i can still connect to the server. if i edit that domain profile and select the option to not allow the account to use terminal services, i am unable to RDP to a desktop pc in the domain. how do i configure things so that particular domain accounts are not allowed to RDP to the server, but can still RDP to their desktop pc?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If you want to allow all but a few users, you can open the account in AD for the ones you want to deny, go to the Terminal Services Profile tab and check the box Deny this user permissions to log on to any Terminal Server.
ASKER
CrashDummy: these users need to be able to rdp to their desktops using their domain accts. selecting that checkbox disables ALL rdp for the account. i need it to allow RDP except for the server.
ryansoto: the only people who should be allowed to remote to the server using the admin function instead of terminal services are domain admins. i need to allow regular users to continue to use terminal services, while denying terminal services to this server on select accounts. i have about 20 users at remote locations who need to rdp to this server. at the same time, i have about 30 users in my building who should never be able to rdp to the server... but i can't totally restrict their accounts because they do need to rdp to their desktops.
cmarandi: i will try your suggestions and post results.
basically, i just need to have some way to keep certain domain accounts from using terminal services on the server, but not completely disable all RDP for their accounts.
ryansoto: the only people who should be allowed to remote to the server using the admin function instead of terminal services are domain admins. i need to allow regular users to continue to use terminal services, while denying terminal services to this server on select accounts. i have about 20 users at remote locations who need to rdp to this server. at the same time, i have about 30 users in my building who should never be able to rdp to the server... but i can't totally restrict their accounts because they do need to rdp to their desktops.
cmarandi: i will try your suggestions and post results.
basically, i just need to have some way to keep certain domain accounts from using terminal services on the server, but not completely disable all RDP for their accounts.
<because they do need to rdp to their desktops>
What does this mean....??
If you update remote settings where I said this is only who is allowed access directly to the terminal server.
You would then allow access to 'terminal services' by using GPO's or something like that
What does this mean....??
If you update remote settings where I said this is only who is allowed access directly to the terminal server.
You would then allow access to 'terminal services' by using GPO's or something like that
ASKER
ryansoto-
these are domain accounts.. and thus, some users sign into their desktop computers with the domain credentials. these users may need to access their desktop computers from home, and thus should have access to their desktop computers using RDP. however, they should not be able to RDP to the server.
but there are other users at branch facilities, who do not log into their desktop computers using domain credentials because their computers are not joined to the domain... but they do need to access the server using terminal services (not the admin/console account).
so basically, i need to exclude certain domain accounts from accessing the server using RDP/terminal services, but not block RDP for those accounts altogether. i thought this could be accomplished by changing the local group for Remote Desktop Users... but it is still allowing people who do not belong to that group to RDP into the server.
i do not want to add people to the remote settings... because i have a bunch of employees at branches who should be able to access AT THE SAME TIME, which requires terminal services.
and i can't make this setting in domain GPO, because as i've said... that policy would apply to the account under all conditions... and i don't want to block these people from RDP to their desktop computers.
this solution should involve blocking RDP based on COMPUTER... not an AD policy... because AD policy applies to the account no matter what computer you're logging into.
these are domain accounts.. and thus, some users sign into their desktop computers with the domain credentials. these users may need to access their desktop computers from home, and thus should have access to their desktop computers using RDP. however, they should not be able to RDP to the server.
but there are other users at branch facilities, who do not log into their desktop computers using domain credentials because their computers are not joined to the domain... but they do need to access the server using terminal services (not the admin/console account).
so basically, i need to exclude certain domain accounts from accessing the server using RDP/terminal services, but not block RDP for those accounts altogether. i thought this could be accomplished by changing the local group for Remote Desktop Users... but it is still allowing people who do not belong to that group to RDP into the server.
i do not want to add people to the remote settings... because i have a bunch of employees at branches who should be able to access AT THE SAME TIME, which requires terminal services.
and i can't make this setting in domain GPO, because as i've said... that policy would apply to the account under all conditions... and i don't want to block these people from RDP to their desktop computers.
this solution should involve blocking RDP based on COMPUTER... not an AD policy... because AD policy applies to the account no matter what computer you're logging into.
ASKER
cmarandi's solution works.
then run gpedit.msc,
computer configuration
windows settings
security settings
local policies
user rights assignments
allow logon through terminal server --> and confirm the AD groups you want to access.
this policy is LOCAL to the server, which means it blocks RDP access for certain users only on the server and not to other desktop computers on the domain.
then run gpedit.msc,
computer configuration
windows settings
security settings
local policies
user rights assignments
allow logon through terminal server --> and confirm the AD groups you want to access.
this policy is LOCAL to the server, which means it blocks RDP access for certain users only on the server and not to other desktop computers on the domain.
Click select remote users. Add the people here who can access the server VIA RDP. This is what allows yo uto remote in for administration function it is not the terminal service fucntion.
Just remove anyone from here that doesnt need to get into the server this way.