Stopping Remote Desktop but retaining local admin privileges

Simon336697
Simon336697 used Ask the Experts™
on
Hi guys, hope you are all well and can help.

Guys we are in a predicatment and would love your kind help.

We have a 2003 AD domain, with users being local administrators of their systems through having the NT/INTERACTIVE group a member of the local administrators group. I know this is not best practice, but that is what we currently have, and it is what I have to work with.

Some business requirements are the following:

1.Users are to be administrators of their machines (currently, this is achieved through them being local admins via the NT/INTERACTIVE group being a member of local admins)

2.Users are not to be able to remote desktop to other systems on the network, unless they are members of domain admins.

Currently, ALL users can remote destkop to ALL machines globally due to their being local administrators of their systems, and the fact that they receive this through the NT/INTERACTIVE group.

So my challenge is the following.

Keep all users as local administrators, BUT STOP them being able to Remote desktop.

Is there a way to do this by removing the NT/INTERACTIVE group?

As there are 1000s of users, I think the reason they did it this way was for ease of adding all users to local admins.


The following is basically what I need to work out in a nutshell:

=======================================================================
If I remove the INTERACTIVE group from local admins, what other domain group, of which ALL users are a member, can I add to tthe local admins group, so that they:

1.Retain local admin access
2.Can now NOT remote desktop to other people's systems?

=======================================================================

Any help greatly appreciated.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adrian CantrillSolutions Architect

Commented:
This article shows how to secure remote desktop both from the GUI and using a policy (local or GPO) - you can set RDP rights to specific users, and groups. By default administrators have access but this can be removed using the methods indicated on the article

http://www.mobydisk.com/techres/securing_remote_desktop.html

Adrian CantrillSolutions Architect

Commented:
You dont need to make modifications to local admin specifically - if we want local admin we add domain users as a group to the local admin group, that covers all users. Based on this you can grant RDP functionality to domain admins and specifically ONE user if you want (local user) while not allowing domain users.
Commented:
Configure the computer policy for domain computers:

Windows Settings | Security Settings | Local Policies | User Rights Assignments | Allow logon through Terminal Services: Remote Desktop Users

In the same policy (same computer scope), create a restricted group:

Windows Settings | Security Settings | Restricted Groups, create a restricted group called: Remote Desktop Users, and place your Domain Admins in the restricted group.

Make sure that this policy is applied with the highest preference.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Hi woolnoir,

Thanks so much for that.

So, before I read, would you suggest us doing something like the following?

I need to get rid of the NT/INTERACTIVE group since this gives users the ability to remote desktop to ALL machines, while simultaneously, finding another method to grant them local admin access.

1.Remove the NT/INTERACTIVE group from local admins, since this gives normal users the ability to remote desktop to ALL machines in our environment.

2.Configure a group policy somehow.
Solutions Architect
Commented:
Ok essentially

By default Administrators and members of 'remote desktop users' local group are allowed access to a machine via RDP. You want to give users admin on their own workstations but restrict that.

So you can leave NT/INTERACTIVE in the local admins group on each machine if you want, or you change change this to something else, domain users, or something more specific - this part of the plan is unimportant, whatever you want to be an admin define it in the same way.

The part you need to worry about is -

A grou policy should be applied to all your workstations (or those you want to effect), its Computer Configuration, WIndows Settings, Security Settings, Local Policies, User Rights Assignments.

In there there is a setting 'Allow log on through Terminal Services', by default its not defined which is why Admins and Remote Desktop users can RDP in. CHange this to defined and add ONLY those people you want to be able to RDP into machines (we have a specific domain admin group).

Author

Commented:
woolnoir, youre a champion thank you.
You have been wonderful.

Author

Commented:
Hi Rant32, thanks to you as well.
When you say:

Make sure that this policy is applied with the highest preference.

Im not sure exactly what you mean.

Author

Commented:
Thanks so much guys.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial