?
Solved

Restrict Terminal Services to Active Directory accounts

Posted on 2008-10-14
5
Medium Priority
?
580 Views
Last Modified: 2013-12-04
We have a rather unique environment for our industrial computing systems in which there must be a common local administrator account on all of our computers.  When people use terminal services we would like to log their access, this is not possible if people log in as this local administrator.  How can I restrict access to only allow active directory accounts that are in the administrator group?  In other words, an account may be created locally in the administrators group, but it will not be allowed to use terminal services, and a domain account in the administrators group will be able to.  Thanks!
0
Comment
Question by:donfornio
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:jkarnes12
ID: 22716618
You can create a Group Policy, and only Allow the AD user group you choose.  This can be set at:

Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> User rights assignment ->  "Allow Log on through Terminal Services"
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22716620
You can only do this if you plan to not be able to log in to the server as this account except on the live machine.

In the RDP-Tcp of Connections in Terminal Services Configuration, Deny that Account.
0
 

Author Comment

by:donfornio
ID: 22720472
Thanks for the help guys.  I could do this, but ideally I'm looking for a more robust solution, that is, that terminal services blocks any local account and allows all domain accounts included in the administrators group.
0
 
LVL 11

Accepted Solution

by:
jkarnes12 earned 1500 total points
ID: 22721902
There are 2 settings in the GPO I referenced above.  You can define the "Administrators" group in the "Allow Log on through Terminal Services", then define the "Administrator" account in the "Deny Log on through Terminal Services" setting.  This will Deny ALL local accounts named Administrator from logging on, while allowing ALL other members of the Administrators local group to log on.
0
 

Author Comment

by:donfornio
ID: 22722059
jkarnes12, I'm afraid I'm not following.  Let's say there is an an administrator account named "administrator" but there are also accounts named "bob" or "lucy" that are also local administrators on the PC.  Actually, our environment is large and diverse enough that we can't really tell who is in the local administrators group.  Operators and onsite engineers may need those accounts for certain tasks, and that is fine to do when physically on the machine, but not fine to do over terminal services. So really what I'm looking for is a 'catch all', or GPO, that will take all local accounts, regardless of name, and deny them access to terminal services, but allow domain accounts in the administrators group on the local machone.  Sorry for being long winded, but it's a bit tough to describe this unique environment.  Thanks again gents and ladies.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question