?
Solved

Restrict Terminal Services to Active Directory accounts

Posted on 2008-10-14
5
Medium Priority
?
573 Views
Last Modified: 2013-12-04
We have a rather unique environment for our industrial computing systems in which there must be a common local administrator account on all of our computers.  When people use terminal services we would like to log their access, this is not possible if people log in as this local administrator.  How can I restrict access to only allow active directory accounts that are in the administrator group?  In other words, an account may be created locally in the administrators group, but it will not be allowed to use terminal services, and a domain account in the administrators group will be able to.  Thanks!
0
Comment
Question by:donfornio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:jkarnes12
ID: 22716618
You can create a Group Policy, and only Allow the AD user group you choose.  This can be set at:

Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> User rights assignment ->  "Allow Log on through Terminal Services"
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22716620
You can only do this if you plan to not be able to log in to the server as this account except on the live machine.

In the RDP-Tcp of Connections in Terminal Services Configuration, Deny that Account.
0
 

Author Comment

by:donfornio
ID: 22720472
Thanks for the help guys.  I could do this, but ideally I'm looking for a more robust solution, that is, that terminal services blocks any local account and allows all domain accounts included in the administrators group.
0
 
LVL 11

Accepted Solution

by:
jkarnes12 earned 1500 total points
ID: 22721902
There are 2 settings in the GPO I referenced above.  You can define the "Administrators" group in the "Allow Log on through Terminal Services", then define the "Administrator" account in the "Deny Log on through Terminal Services" setting.  This will Deny ALL local accounts named Administrator from logging on, while allowing ALL other members of the Administrators local group to log on.
0
 

Author Comment

by:donfornio
ID: 22722059
jkarnes12, I'm afraid I'm not following.  Let's say there is an an administrator account named "administrator" but there are also accounts named "bob" or "lucy" that are also local administrators on the PC.  Actually, our environment is large and diverse enough that we can't really tell who is in the local administrators group.  Operators and onsite engineers may need those accounts for certain tasks, and that is fine to do when physically on the machine, but not fine to do over terminal services. So really what I'm looking for is a 'catch all', or GPO, that will take all local accounts, regardless of name, and deny them access to terminal services, but allow domain accounts in the administrators group on the local machone.  Sorry for being long winded, but it's a bit tough to describe this unique environment.  Thanks again gents and ladies.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question