Solved

Restrict Terminal Services to Active Directory accounts

Posted on 2008-10-14
5
568 Views
Last Modified: 2013-12-04
We have a rather unique environment for our industrial computing systems in which there must be a common local administrator account on all of our computers.  When people use terminal services we would like to log their access, this is not possible if people log in as this local administrator.  How can I restrict access to only allow active directory accounts that are in the administrator group?  In other words, an account may be created locally in the administrators group, but it will not be allowed to use terminal services, and a domain account in the administrators group will be able to.  Thanks!
0
Comment
Question by:donfornio
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:jkarnes12
ID: 22716618
You can create a Group Policy, and only Allow the AD user group you choose.  This can be set at:

Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> User rights assignment ->  "Allow Log on through Terminal Services"
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22716620
You can only do this if you plan to not be able to log in to the server as this account except on the live machine.

In the RDP-Tcp of Connections in Terminal Services Configuration, Deny that Account.
0
 

Author Comment

by:donfornio
ID: 22720472
Thanks for the help guys.  I could do this, but ideally I'm looking for a more robust solution, that is, that terminal services blocks any local account and allows all domain accounts included in the administrators group.
0
 
LVL 11

Accepted Solution

by:
jkarnes12 earned 500 total points
ID: 22721902
There are 2 settings in the GPO I referenced above.  You can define the "Administrators" group in the "Allow Log on through Terminal Services", then define the "Administrator" account in the "Deny Log on through Terminal Services" setting.  This will Deny ALL local accounts named Administrator from logging on, while allowing ALL other members of the Administrators local group to log on.
0
 

Author Comment

by:donfornio
ID: 22722059
jkarnes12, I'm afraid I'm not following.  Let's say there is an an administrator account named "administrator" but there are also accounts named "bob" or "lucy" that are also local administrators on the PC.  Actually, our environment is large and diverse enough that we can't really tell who is in the local administrators group.  Operators and onsite engineers may need those accounts for certain tasks, and that is fine to do when physically on the machine, but not fine to do over terminal services. So really what I'm looking for is a 'catch all', or GPO, that will take all local accounts, regardless of name, and deny them access to terminal services, but allow domain accounts in the administrators group on the local machone.  Sorry for being long winded, but it's a bit tough to describe this unique environment.  Thanks again gents and ladies.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now