Solved

Login Time Restriction for Remote Desktop Users

Posted on 2014-03-02
12
604 Views
Last Modified: 2016-07-15
We need to automate the denial of logging into a terminal server (RDP sessions only) - not AD Login because users access their Exchange server which is in this Windows domain.  For example, we tried restricting AD login times, but their email clients on their smart phones started complaining. So we just want to block them from logging into the terminal server only during off hours so we can properly do backups, updates, etc.
0
Comment
Question by:GlennRhodes
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39898695
Create a GPO to restrict logon hours for a group of users and apply it to your Terminal Servers.

MO
0
 

Author Comment

by:GlennRhodes
ID: 39898746
We have an OU in already place with no  type of login restrictions, - what policy restricts only their ability to login to the terminal server and not restrict Active Directory for their Exchange access?

As a note: I wanted to test restricting RDP login into our Terminal Server, so went into ADCU last week, went to properties of a user and restricted login time access to 8-5 M-F, but soon got the call that his email stopped working that night. Had to put it back. So I cant restrict AD login as a way to restrict TS login.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39899681
Hi.

You could use the local policy to set/reset logon privileges on a schedule. Also you would have to use rwinsta.exe to log off users at that time. The local privileges can be modified using ntrights.exe from the resource kit.

Need further instructions?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 37

Expert Comment

by:bbao
ID: 39900175
another approache is via firewall if the TS is located at a different subnet of RDP clients. of course, the firewall should be able apply rules based on given time restrictions.
0
 

Author Comment

by:GlennRhodes
ID: 39911555
bbao: We need more granular approach to denying RDP logons. Our Watchguard firewall is good, but not good enough to do that because of the various servers we have on the same subnet.
0
 

Author Comment

by:GlennRhodes
ID: 39911562
McKnife: If you have instructions on this, yes it would be appreciated to see some detail on what you are describing.  Isn't rwinsta.exe used to just reset a session? We would want to deny RDP logons during specified times, but not kill AD logins.
 Wouldn't this be a nice utility for Sys Admins to run along side ADUC's ? Seems like Microsoft left a window of opportunity in their software for someone to fill..
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911565
> Our Watchguard firewall is good,
> the various servers we have on the same subnet.

if your firewall does support time based ACL, that should work as the control can be against a single host (IP) or a group of hosts (IPs) rather than the whole subnet.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39911892
Hi.

Instructions were partially given, I hoped you would at least try out ntrights, so I could assist on Problems that already arose. You haven't and you haven't tried rwinsta either? OK...

Download ntrights from here http://www.dynawell.com/de/support-de/resource-kits/160-windows-resource-kits/resource-kit-for-windows-2000/362-ntrights , please note that it works on all Windows platforms, not only on win2000. Then please read the instructions on http://ss64.com/nt/ntrights.html - there you will see that the privilege SeRemoteInteractiveLogonRight is the one it's all about.
On an elevated command prompt, the command in order to grant someone that privilege would be
Ntrights.exe -u username +r SeRemoteInteractiveLogonRight

But you need to revoke ("-r") that privilege. So based on what group you have entitled to logon via RDP, you need to use
Ntrights.exe -u groupname -r SeRemoteInteractiveLogonRight

This can be done via windows' scheduler at the times you like. Right afterwards, you could disconnect all current sessions using rwinsta. rwinsta syntax is... no, please try it yourself first.
0
 

Author Comment

by:GlennRhodes
ID: 39914281
McKnife: I will give this a try. I checked out ntrights.exe, and this looks like a workable solution along with scheduler.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41706841
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question