Solved

Restrict Terminal Services to Active Directory accounts

Posted on 2008-10-14
5
567 Views
Last Modified: 2013-12-04
We have a rather unique environment for our industrial computing systems in which there must be a common local administrator account on all of our computers.  When people use terminal services we would like to log their access, this is not possible if people log in as this local administrator.  How can I restrict access to only allow active directory accounts that are in the administrator group?  In other words, an account may be created locally in the administrators group, but it will not be allowed to use terminal services, and a domain account in the administrators group will be able to.  Thanks!
0
Comment
Question by:donfornio
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:jkarnes12
ID: 22716618
You can create a Group Policy, and only Allow the AD user group you choose.  This can be set at:

Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> User rights assignment ->  "Allow Log on through Terminal Services"
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22716620
You can only do this if you plan to not be able to log in to the server as this account except on the live machine.

In the RDP-Tcp of Connections in Terminal Services Configuration, Deny that Account.
0
 

Author Comment

by:donfornio
ID: 22720472
Thanks for the help guys.  I could do this, but ideally I'm looking for a more robust solution, that is, that terminal services blocks any local account and allows all domain accounts included in the administrators group.
0
 
LVL 11

Accepted Solution

by:
jkarnes12 earned 500 total points
ID: 22721902
There are 2 settings in the GPO I referenced above.  You can define the "Administrators" group in the "Allow Log on through Terminal Services", then define the "Administrator" account in the "Deny Log on through Terminal Services" setting.  This will Deny ALL local accounts named Administrator from logging on, while allowing ALL other members of the Administrators local group to log on.
0
 

Author Comment

by:donfornio
ID: 22722059
jkarnes12, I'm afraid I'm not following.  Let's say there is an an administrator account named "administrator" but there are also accounts named "bob" or "lucy" that are also local administrators on the PC.  Actually, our environment is large and diverse enough that we can't really tell who is in the local administrators group.  Operators and onsite engineers may need those accounts for certain tasks, and that is fine to do when physically on the machine, but not fine to do over terminal services. So really what I'm looking for is a 'catch all', or GPO, that will take all local accounts, regardless of name, and deny them access to terminal services, but allow domain accounts in the administrators group on the local machone.  Sorry for being long winded, but it's a bit tough to describe this unique environment.  Thanks again gents and ladies.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now