[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Restrict OUs on Server 2008

Posted on 2011-10-14
Medium Priority
Last Modified: 2012-05-12
We have 1 DC in our Head Office and 4 DC's in different branch offices.All the  DCs are running Windows Server 2008 R2 and  all are connected through MPLS Network. We have created different OU for each branch and users are created there.
I would like to restrict permissions on OU wise in servers. For example branch1 Administrator should have rights only for his OU. He should create users only in that OU, he should not do any changes in other OU's.

I have right clicked on the OU and delegated control to a user that I need to administer that OU. But still I’m unable to access any DC through mstsc using this user. I’m receiving the following message while login thru mstsc “The connection was denied because the user account is not authorized for remote login”
Question by:xpandit
  • 3
  • 2
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36967347
For that you need to grant user "Logon Locally" permission which is defined (for DCs) in Default Domain Controller Policy. Please create security group called i.e. Delegated Admins, put there all users who should be able to log on to DC and add this group name into Default Domain Controller Policy node

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
and modify "Allow Log on locally" and "Allow Log on through RDS"

but I would not grant them direct access to DCs for security reasons! All of their needed administration could be done over Administrative / RSAT Tools from local workstation

LVL 17

Accepted Solution

Premkumar Yogeswaran earned 2000 total points
ID: 36967384
To my understanding, your issue is you have server in a OU and you have delegated permission to that OU.
Now you are unable to RDP the server right?
If yes, the delegation permission is only for object level, it wont grant admin rights or RDP access to server.
You need to configure the Group policy to login through terminal services RDP.

Two ways to grant RDP access via Group policy

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

To centrally enable Remote Desktop using Group Policy
1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.

Next option:

To add a domain group to the Remote Desktop Users group via Group Policy
1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group

Refre the link below


LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36967394
Prem, that's good walkthrough but .... for normal servers including TS but not for Domain COntrollers :) Especially that DCs have no local groups so, restricted groups won't affect them ;)

LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 36967434
Hi Krzysztof,
hope you are doing good...!!!

Its true but the user requirement here is, they need to RDP the server. but they unable too..

So i have shown 2 oath..
One is to add user to Remote desktop users and grant permission to RDP.
And the next, which give Admin access as well, since adding the group to restricted group.

LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36967563
Yup, but this particular servers are... Domain Controllers ;)

Remote Desktop Users domain group allow to connect to any server in a network if user has Logon locally rigths, that's true :)

Anyway, this is also good hint :)


Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question