[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restrict Terminal Services to Active Directory accounts

Posted on 2008-10-14
5
Medium Priority
?
579 Views
Last Modified: 2013-12-04
We have a rather unique environment for our industrial computing systems in which there must be a common local administrator account on all of our computers.  When people use terminal services we would like to log their access, this is not possible if people log in as this local administrator.  How can I restrict access to only allow active directory accounts that are in the administrator group?  In other words, an account may be created locally in the administrators group, but it will not be allowed to use terminal services, and a domain account in the administrators group will be able to.  Thanks!
0
Comment
Question by:donfornio
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:jkarnes12
ID: 22716618
You can create a Group Policy, and only Allow the AD user group you choose.  This can be set at:

Computer Configuration -> Windows Settings -> Security Settings -> Local policies -> User rights assignment ->  "Allow Log on through Terminal Services"
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22716620
You can only do this if you plan to not be able to log in to the server as this account except on the live machine.

In the RDP-Tcp of Connections in Terminal Services Configuration, Deny that Account.
0
 

Author Comment

by:donfornio
ID: 22720472
Thanks for the help guys.  I could do this, but ideally I'm looking for a more robust solution, that is, that terminal services blocks any local account and allows all domain accounts included in the administrators group.
0
 
LVL 11

Accepted Solution

by:
jkarnes12 earned 1500 total points
ID: 22721902
There are 2 settings in the GPO I referenced above.  You can define the "Administrators" group in the "Allow Log on through Terminal Services", then define the "Administrator" account in the "Deny Log on through Terminal Services" setting.  This will Deny ALL local accounts named Administrator from logging on, while allowing ALL other members of the Administrators local group to log on.
0
 

Author Comment

by:donfornio
ID: 22722059
jkarnes12, I'm afraid I'm not following.  Let's say there is an an administrator account named "administrator" but there are also accounts named "bob" or "lucy" that are also local administrators on the PC.  Actually, our environment is large and diverse enough that we can't really tell who is in the local administrators group.  Operators and onsite engineers may need those accounts for certain tasks, and that is fine to do when physically on the machine, but not fine to do over terminal services. So really what I'm looking for is a 'catch all', or GPO, that will take all local accounts, regardless of name, and deny them access to terminal services, but allow domain accounts in the administrators group on the local machone.  Sorry for being long winded, but it's a bit tough to describe this unique environment.  Thanks again gents and ladies.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question