Local admin access, NT/INTERACTIVE and RDP

Hi guys I hope you are all well.

Guys Im in a dilemma.

I have been given the following scenario to try and find a solution for.

We have a 2003 AD domain. All users are running XP. All standard/normal users are local administrators. All standard/normal users MUST remain local administrators, but NOT have the ability to Remote desktop, other than selected users and domain admins. I know this is not best practice, but this is what the business wants. As they get local admin access through the NT/INTERACTIVE group being added to the local admin group, I have to find an alternative way to grant them local admin rights while at the same time, disallow them to RDP to ALL machines in our environment, since this is one of the downsides of using NT/INTERACTIVE to achieve local admin access for ALL users.

Challenge is:
Retain local administrator access to ALL standard/normal users.
Stop Remote Desktop access by standard/normal users.
Allow Remote Desktop access to selected users and domain admins.
Remove the NT/INTERACTIVE from local administrators group, which is the current way standard/normal users are getting local administrator access, and find an alternative method to allow standard/normal users to have local admin access WITHOUT using the NT/INTERACTIVE group added to local admins.

In a nutshell, the following:
Give normal users local admin access, but NOT by using the NT/INTERACTIVE method.
Only allow selected users and domain admins right to RDP.

Any help greatly appreciated.
LVL 1
Simon336697Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Twisted_LogicCommented:
If you are giving them local pc admin access, then it is best to add the group Domain Users to the administrators group within control panel, administrative tools, computer management.  As for RDP - this one is fairly easy.  Within the selected users or groups, you can specify just administrator, or best practice to add specified users (such as administrator itself) to the remote desktop users group in AD.  Then specify only that group for RDP access.  If it is a terminal server, then you can specify this within the TCP\RDP settings within terminal services configuration and give that group full rights, and strip administrators group rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon336697Author Commented:
Hi Twisted Logic, thanks so much for your kind help.

If I add the Domain Users to the admins group, wouldnt that mean that all domain users would be able to connect through UNC path to ALL machines in our network?
Twisted_LogicCommented:
I would not add them in active directory, instead in the PC's themselves.  If you need them to have local admin access on the server then I would still only add them the same way.  Control Panel -> administrative tools -> Computer Management.  Inside of the groups tab there is an administrators tab.  Double click that and add Domain users group.  This only gives local admin access.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

KenMcFCommented:
Simon336697

How many workstations do you have?

Do you want all users to have local admin rights or just a select few to each workstation.
for example
wokrstation1 - user1-user2 both have local admin rights
or
worstation1 - all users have local admin rights.
Simon336697Author Commented:
Hi Twisted, thanks again mate you are a champion.

When you say you would not add them in AD, we have a large environment of 7000+ users.
I need a way to push this out without going manual on each machine.

Do you think the following might be an option?


Remove all from Remote desktop users group, and just add the:

1.Local administrator account.
2.Domain Admins group.

This removes the administrators group from Remote desktop, and this would effectively mean that the INTERACTIVE group would not get remote access via RDP, since the adminstrators group has been removed from RDP.
By doing this, we can leave the INTERACTIVE group, which gives them admin access.
And by removing the administrators group from Remote Desktop users, only the local admin and members of the domain admin group can RDP.
Simon336697Author Commented:
Hi KenMcF,
Thanks so much for your help as well.

The problem I have Ken is that in our environment, the business DEMANDS that all users (all 7000+) of them, have local admin access. Currently, and this is historical, they have been given this through the INTERACTIVE group. The downside of this method, is that this also gives you RDP access to EVERY machine in our domain.
So, what I need to do is to STOP them being able to RDP, while allowing only selected members to RDP eg.domain admins, others etc, but also retain their level of access locally eg.local admin rights.
Simon336697Author Commented:
Hi Ken,

How many workstations do you have?
We have over 7000 workstations.

Do you want all users to have local admin rights or just a select few to each workstation.
for example
wokrstation1 - user1-user2 both have local admin rights
or
worstation1 - all users have local admin rights.
We want all users to have local admin rights. They currently do through the INTERACTIVE group being a member of the local admins. But this also gives them RDP access to the ENTIRE domain, which we dont want.
Twisted_LogicCommented:
use Computer Config > Windows Settings > Security Settings > Restricted groups to add a group call "Local Admin All Workstations" which is applied to the "workstations" OU

or

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

should give you a guide to use GP to allow local admins on PC's - that's your best bet

KenMcFCommented:
If the users are local admins they will  be able to change any setting and over ride what you have set.  One thing you can do is create a GPO and apply it to all workstations. Create a security group and add all users to that group, then deny that group RDP access in the GPO. The users will still be able to change the local security policy but on next GPO refresh it will revert back to what you have in the GPO.
Simon336697Author Commented:
Hi Ken and Twisted,

Thanks to BOTH of you much appreciated.

Can I run the following by both of you to see if this would work?

================
OPTION 1:
================
Create a GPO that will apply to ALL workstations.
In this GPO, add a group under:
Computer Config > Windows Settings > Security Settings > Restricted groups
Select "RDP Support" (This is a group I will create, and will contain Domain Admins, and other domain users that have been allowed to Remote Desktop).
On "This group has the following members...." add "Remote Desktop Users".
As this is destructive, all other users, including the local administrator, the local administrators group, and INTERACTIVE, will be removed from the Remote Desktop Users group.

================
OPTION 2:
================
http://technet.microsoft.com/en-us/library/cc758613(WS.10).aspx
https://kb.berkeley.edu/jivekb/entry.jspa?externalID=1085

Create a global group called "RDP Admins" and add users who need this access eg.Domain Admins etc.
Add RDP Admins to the local Remote Desktop Users group.
Create a GPO and go to the setting:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Go to the "Allow logon through Terminal Services" setting, and
Remove the Administrators group and leave the Remote Desktop Users group.

Twisted_LogicCommented:
Either will work.. I suggested both..lol..  I really do believe that with a network that large you should stray from allowing local users as domain admins - local admins on PC's should work well within your architecture.  I would say Option 1 is your best bet
Simon336697Author Commented:
Thanks so much Twisted.
Simon336697Author Commented:
Thanks guys much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.