Restrict OUs on Server 2008

We have 1 DC in our Head Office and 4 DC's in different branch offices.All the  DCs are running Windows Server 2008 R2 and  all are connected through MPLS Network. We have created different OU for each branch and users are created there.
I would like to restrict permissions on OU wise in servers. For example branch1 Administrator should have rights only for his OU. He should create users only in that OU, he should not do any changes in other OU's.

I have right clicked on the OU and delegated control to a user that I need to administer that OU. But still I’m unable to access any DC through mstsc using this user. I’m receiving the following message while login thru mstsc “The connection was denied because the user account is not authorized for remote login”
xpanditAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
For that you need to grant user "Logon Locally" permission which is defined (for DCs) in Default Domain Controller Policy. Please create security group called i.e. Delegated Admins, put there all users who should be able to log on to DC and add this group name into Default Domain Controller Policy node

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
and modify "Allow Log on locally" and "Allow Log on through RDS"

but I would not grant them direct access to DCs for security reasons! All of their needed administration could be done over Administrative / RSAT Tools from local workstation

Regards,
Krzysztof
0
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Hi,
To my understanding, your issue is you have server in a OU and you have delegated permission to that OU.
Now you are unable to RDP the server right?
If yes, the delegation permission is only for object level, it wont grant admin rights or RDP access to server.
You need to configure the Group policy to login through terminal services RDP.

Two ways to grant RDP access via Group policy

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

To centrally enable Remote Desktop using Group Policy
1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.

Next option:

To add a domain group to the Remote Desktop Users group via Group Policy
1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group

Refre the link below

http://technet.microsoft.com/en-us/library/cc776790(WS.10).aspx

Regards,
Prem
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Krzysztof PytkoSenior Active Directory EngineerCommented:
Prem, that's good walkthrough but .... for normal servers including TS but not for Domain COntrollers :) Especially that DCs have no local groups so, restricted groups won't affect them ;)

Krzysztof
0
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Hi Krzysztof,
hope you are doing good...!!!

Its true but the user requirement here is, they need to RDP the server. but they unable too..

So i have shown 2 oath..
One is to add user to Remote desktop users and grant permission to RDP.
And the next, which give Admin access as well, since adding the group to restricted group.

Regards,
Prem
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
Yup, but this particular servers are... Domain Controllers ;)

Remote Desktop Users domain group allow to connect to any server in a network if user has Logon locally rigths, that's true :)

Anyway, this is also good hint :)

Krzysztof
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.