Restrict OUs on Server 2008

Posted on 2011-10-14
Last Modified: 2012-05-12
We have 1 DC in our Head Office and 4 DC's in different branch offices.All the  DCs are running Windows Server 2008 R2 and  all are connected through MPLS Network. We have created different OU for each branch and users are created there.
I would like to restrict permissions on OU wise in servers. For example branch1 Administrator should have rights only for his OU. He should create users only in that OU, he should not do any changes in other OU's.

I have right clicked on the OU and delegated control to a user that I need to administer that OU. But still I’m unable to access any DC through mstsc using this user. I’m receiving the following message while login thru mstsc “The connection was denied because the user account is not authorized for remote login”
Question by:xpandit
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    For that you need to grant user "Logon Locally" permission which is defined (for DCs) in Default Domain Controller Policy. Please create security group called i.e. Delegated Admins, put there all users who should be able to log on to DC and add this group name into Default Domain Controller Policy node

    Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
    and modify "Allow Log on locally" and "Allow Log on through RDS"

    but I would not grant them direct access to DCs for security reasons! All of their needed administration could be done over Administrative / RSAT Tools from local workstation

    LVL 17

    Accepted Solution

    To my understanding, your issue is you have server in a OU and you have delegated permission to that OU.
    Now you are unable to RDP the server right?
    If yes, the delegation permission is only for object level, it wont grant admin rights or RDP access to server.
    You need to configure the Group policy to login through terminal services RDP.

    Two ways to grant RDP access via Group policy

    Centrally enable Remote Desktop using Group Policy
    It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

    To centrally enable Remote Desktop using Group Policy
    1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

    2.Create and link a GPO to the terminal server OU.

    3.Right-click the GPO linked to the terminal server OU, and then click Edit.

    4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

    5.Click Enabled.

    6.Click OK.

    Next option:

    To add a domain group to the Remote Desktop Users group via Group Policy
    1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

    2.Create and link a GPO named Restricted Groups to the terminal server OU.

    3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

    4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

    Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

    5.Right-click Restricted Groups and then click Add Group.

    6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

    7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

    8.Click the Remote Desktop Users group and then click OK.

    9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

    10.Click Add in the Members of this group section of the dialog box.

    11.Click Browse.

    12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

    13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group

    Refre the link below

    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Prem, that's good walkthrough but .... for normal servers including TS but not for Domain COntrollers :) Especially that DCs have no local groups so, restricted groups won't affect them ;)

    LVL 17

    Expert Comment

    by:Premkumar Yogeswaran
    Hi Krzysztof,
    hope you are doing good...!!!

    Its true but the user requirement here is, they need to RDP the server. but they unable too..

    So i have shown 2 oath..
    One is to add user to Remote desktop users and grant permission to RDP.
    And the next, which give Admin access as well, since adding the group to restricted group.

    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Yup, but this particular servers are... Domain Controllers ;)

    Remote Desktop Users domain group allow to connect to any server in a network if user has Logon locally rigths, that's true :)

    Anyway, this is also good hint :)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now