Hi guys I hope you are all well.
Guys Im in a dilemma.
I have been given the following scenario to try and find a solution for.
We have a 2003 AD domain. All users are running XP. All standard/normal users are local administrators. All standard/normal users MUST remain local administrators, but NOT have the ability to Remote desktop, other than selected users and domain admins. I know this is not best practice, but this is what the business wants. As they get local admin access through the NT/INTERACTIVE group being added to the local admin group, I have to find an alternative way to grant them local admin rights while at the same time, disallow them to RDP to ALL machines in our environment, since this is one of the downsides of using NT/INTERACTIVE to achieve local admin access for ALL users.
Retain local administrator access to ALL standard/normal users.
Stop Remote Desktop access by standard/normal users.
Allow Remote Desktop access to selected users and domain admins.
Remove the NT/INTERACTIVE from local administrators group, which is the current way standard/normal users are getting local administrator access, and find an alternative method to allow standard/normal users to have local admin access WITHOUT using the NT/INTERACTIVE group added to local admins.
In a nutshell, the following:
Give normal users local admin access, but NOT by using the NT/INTERACTIVE method.
Only allow selected users and domain admins right to RDP.
Any help greatly appreciated.