Link to home
Start Free TrialLog in
Avatar of Simon336697
Simon336697Flag for Australia

asked on

Local admin access, NT/INTERACTIVE and RDP

Hi guys I hope you are all well.

Guys Im in a dilemma.

I have been given the following scenario to try and find a solution for.

We have a 2003 AD domain. All users are running XP. All standard/normal users are local administrators. All standard/normal users MUST remain local administrators, but NOT have the ability to Remote desktop, other than selected users and domain admins. I know this is not best practice, but this is what the business wants. As they get local admin access through the NT/INTERACTIVE group being added to the local admin group, I have to find an alternative way to grant them local admin rights while at the same time, disallow them to RDP to ALL machines in our environment, since this is one of the downsides of using NT/INTERACTIVE to achieve local admin access for ALL users.

Challenge is:
Retain local administrator access to ALL standard/normal users.
Stop Remote Desktop access by standard/normal users.
Allow Remote Desktop access to selected users and domain admins.
Remove the NT/INTERACTIVE from local administrators group, which is the current way standard/normal users are getting local administrator access, and find an alternative method to allow standard/normal users to have local admin access WITHOUT using the NT/INTERACTIVE group added to local admins.

In a nutshell, the following:
Give normal users local admin access, but NOT by using the NT/INTERACTIVE method.
Only allow selected users and domain admins right to RDP.

Any help greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Twisted_Logic
Twisted_Logic
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Simon336697

ASKER

Hi Twisted Logic, thanks so much for your kind help.

If I add the Domain Users to the admins group, wouldnt that mean that all domain users would be able to connect through UNC path to ALL machines in our network?
I would not add them in active directory, instead in the PC's themselves.  If you need them to have local admin access on the server then I would still only add them the same way.  Control Panel -> administrative tools -> Computer Management.  Inside of the groups tab there is an administrators tab.  Double click that and add Domain users group.  This only gives local admin access.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Twisted, thanks again mate you are a champion.

When you say you would not add them in AD, we have a large environment of 7000+ users.
I need a way to push this out without going manual on each machine.

Do you think the following might be an option?


Remove all from Remote desktop users group, and just add the:

1.Local administrator account.
2.Domain Admins group.

This removes the administrators group from Remote desktop, and this would effectively mean that the INTERACTIVE group would not get remote access via RDP, since the adminstrators group has been removed from RDP.
By doing this, we can leave the INTERACTIVE group, which gives them admin access.
And by removing the administrators group from Remote Desktop users, only the local admin and members of the domain admin group can RDP.
Hi KenMcF,
Thanks so much for your help as well.

The problem I have Ken is that in our environment, the business DEMANDS that all users (all 7000+) of them, have local admin access. Currently, and this is historical, they have been given this through the INTERACTIVE group. The downside of this method, is that this also gives you RDP access to EVERY machine in our domain.
So, what I need to do is to STOP them being able to RDP, while allowing only selected members to RDP eg.domain admins, others etc, but also retain their level of access locally eg.local admin rights.
Hi Ken,

How many workstations do you have?
We have over 7000 workstations.

Do you want all users to have local admin rights or just a select few to each workstation.
for example
wokrstation1 - user1-user2 both have local admin rights
or
worstation1 - all users have local admin rights.
We want all users to have local admin rights. They currently do through the INTERACTIVE group being a member of the local admins. But this also gives them RDP access to the ENTIRE domain, which we dont want.
use Computer Config > Windows Settings > Security Settings > Restricted groups to add a group call "Local Admin All Workstations" which is applied to the "workstations" OU

or

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

should give you a guide to use GP to allow local admins on PC's - that's your best bet

If the users are local admins they will  be able to change any setting and over ride what you have set.  One thing you can do is create a GPO and apply it to all workstations. Create a security group and add all users to that group, then deny that group RDP access in the GPO. The users will still be able to change the local security policy but on next GPO refresh it will revert back to what you have in the GPO.
Hi Ken and Twisted,

Thanks to BOTH of you much appreciated.

Can I run the following by both of you to see if this would work?

================
OPTION 1:
================
Create a GPO that will apply to ALL workstations.
In this GPO, add a group under:
Computer Config > Windows Settings > Security Settings > Restricted groups
Select "RDP Support" (This is a group I will create, and will contain Domain Admins, and other domain users that have been allowed to Remote Desktop).
On "This group has the following members...." add "Remote Desktop Users".
As this is destructive, all other users, including the local administrator, the local administrators group, and INTERACTIVE, will be removed from the Remote Desktop Users group.

================
OPTION 2:
================
http://technet.microsoft.com/en-us/library/cc758613(WS.10).aspx
https://kb.berkeley.edu/jivekb/entry.jspa?externalID=1085

Create a global group called "RDP Admins" and add users who need this access eg.Domain Admins etc.
Add RDP Admins to the local Remote Desktop Users group.
Create a GPO and go to the setting:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
Go to the "Allow logon through Terminal Services" setting, and
Remove the Administrators group and leave the Remote Desktop Users group.

Either will work.. I suggested both..lol..  I really do believe that with a network that large you should stray from allowing local users as domain admins - local admins on PC's should work well within your architecture.  I would say Option 1 is your best bet
Thanks so much Twisted.
Thanks guys much appreciated.