Hi guys, hope you are all well and can help.
Guys we are in a predicatment and would love your kind help.
We have a 2003 AD domain, with users being local administrators of their systems through having the NT/INTERACTIVE group a member of the local administrators group. I know this is not best practice, but that is what we currently have, and it is what I have to work with.
Some business requirements are the following:
1.Users are to be administrators of their machines (currently, this is achieved through them being local admins via the NT/INTERACTIVE group being a member of local admins)
2.Users are not to be able to remote desktop to other systems on the network, unless they are members of domain admins.
Currently, ALL users can remote destkop to ALL machines globally due to their being local administrators of their systems, and the fact that they receive this through the NT/INTERACTIVE group.
So my challenge is the following.
Keep all users as local administrators, BUT STOP them being able to Remote desktop.
Is there a way to do this by removing the NT/INTERACTIVE group?
As there are 1000s of users, I think the reason they did it this way was for ease of adding all users to local admins.
The following is basically what I need to work out in a nutshell:
If I remove the INTERACTIVE group from local admins, what other domain group, of which ALL users are a member, can I add to tthe local admins group, so that they:
1.Retain local admin access
2.Can now NOT remote desktop to other people's systems?
Any help greatly appreciated.