Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1026
  • Last Modified:

Login Time Restriction for Remote Desktop Users

We need to automate the denial of logging into a terminal server (RDP sessions only) - not AD Login because users access their Exchange server which is in this Windows domain.  For example, we tried restricting AD login times, but their email clients on their smart phones started complaining. So we just want to block them from logging into the terminal server only during off hours so we can properly do backups, updates, etc.
0
GlennRhodes
Asked:
GlennRhodes
  • 4
  • 3
  • 2
  • +1
1 Solution
 
Michael OrtegaSales & Systems EngineerCommented:
Create a GPO to restrict logon hours for a group of users and apply it to your Terminal Servers.

MO
0
 
GlennRhodesAuthor Commented:
We have an OU in already place with no  type of login restrictions, - what policy restricts only their ability to login to the terminal server and not restrict Active Directory for their Exchange access?

As a note: I wanted to test restricting RDP login into our Terminal Server, so went into ADCU last week, went to properties of a user and restricted login time access to 8-5 M-F, but soon got the call that his email stopped working that night. Had to put it back. So I cant restrict AD login as a way to restrict TS login.
0
 
McKnifeCommented:
Hi.

You could use the local policy to set/reset logon privileges on a schedule. Also you would have to use rwinsta.exe to log off users at that time. The local privileges can be modified using ntrights.exe from the resource kit.

Need further instructions?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bbaoIT ConsultantCommented:
another approache is via firewall if the TS is located at a different subnet of RDP clients. of course, the firewall should be able apply rules based on given time restrictions.
0
 
GlennRhodesAuthor Commented:
bbao: We need more granular approach to denying RDP logons. Our Watchguard firewall is good, but not good enough to do that because of the various servers we have on the same subnet.
0
 
GlennRhodesAuthor Commented:
McKnife: If you have instructions on this, yes it would be appreciated to see some detail on what you are describing.  Isn't rwinsta.exe used to just reset a session? We would want to deny RDP logons during specified times, but not kill AD logins.
 Wouldn't this be a nice utility for Sys Admins to run along side ADUC's ? Seems like Microsoft left a window of opportunity in their software for someone to fill..
0
 
bbaoIT ConsultantCommented:
> Our Watchguard firewall is good,
> the various servers we have on the same subnet.

if your firewall does support time based ACL, that should work as the control can be against a single host (IP) or a group of hosts (IPs) rather than the whole subnet.
0
 
McKnifeCommented:
Hi.

Instructions were partially given, I hoped you would at least try out ntrights, so I could assist on Problems that already arose. You haven't and you haven't tried rwinsta either? OK...

Download ntrights from here http://www.dynawell.com/de/support-de/resource-kits/160-windows-resource-kits/resource-kit-for-windows-2000/362-ntrights , please note that it works on all Windows platforms, not only on win2000. Then please read the instructions on http://ss64.com/nt/ntrights.html - there you will see that the privilege SeRemoteInteractiveLogonRight is the one it's all about.
On an elevated command prompt, the command in order to grant someone that privilege would be
Ntrights.exe -u username +r SeRemoteInteractiveLogonRight

But you need to revoke ("-r") that privilege. So based on what group you have entitled to logon via RDP, you need to use
Ntrights.exe -u groupname -r SeRemoteInteractiveLogonRight

This can be done via windows' scheduler at the times you like. Right afterwards, you could disconnect all current sessions using rwinsta. rwinsta syntax is... no, please try it yourself first.
0
 
GlennRhodesAuthor Commented:
McKnife: I will give this a try. I checked out ntrights.exe, and this looks like a workable solution along with scheduler.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now