Solved

Login Time Restriction for Remote Desktop Users

Posted on 2014-03-02
12
521 Views
Last Modified: 2016-07-15
We need to automate the denial of logging into a terminal server (RDP sessions only) - not AD Login because users access their Exchange server which is in this Windows domain.  For example, we tried restricting AD login times, but their email clients on their smart phones started complaining. So we just want to block them from logging into the terminal server only during off hours so we can properly do backups, updates, etc.
0
Comment
Question by:GlennRhodes
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 16
ID: 39898695
Create a GPO to restrict logon hours for a group of users and apply it to your Terminal Servers.

MO
0
 

Author Comment

by:GlennRhodes
ID: 39898746
We have an OU in already place with no  type of login restrictions, - what policy restricts only their ability to login to the terminal server and not restrict Active Directory for their Exchange access?

As a note: I wanted to test restricting RDP login into our Terminal Server, so went into ADCU last week, went to properties of a user and restricted login time access to 8-5 M-F, but soon got the call that his email stopped working that night. Had to put it back. So I cant restrict AD login as a way to restrict TS login.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39899681
Hi.

You could use the local policy to set/reset logon privileges on a schedule. Also you would have to use rwinsta.exe to log off users at that time. The local privileges can be modified using ntrights.exe from the resource kit.

Need further instructions?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 37

Expert Comment

by:bbao
ID: 39900175
another approache is via firewall if the TS is located at a different subnet of RDP clients. of course, the firewall should be able apply rules based on given time restrictions.
0
 

Author Comment

by:GlennRhodes
ID: 39911555
bbao: We need more granular approach to denying RDP logons. Our Watchguard firewall is good, but not good enough to do that because of the various servers we have on the same subnet.
0
 

Author Comment

by:GlennRhodes
ID: 39911562
McKnife: If you have instructions on this, yes it would be appreciated to see some detail on what you are describing.  Isn't rwinsta.exe used to just reset a session? We would want to deny RDP logons during specified times, but not kill AD logins.
 Wouldn't this be a nice utility for Sys Admins to run along side ADUC's ? Seems like Microsoft left a window of opportunity in their software for someone to fill..
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911565
> Our Watchguard firewall is good,
> the various servers we have on the same subnet.

if your firewall does support time based ACL, that should work as the control can be against a single host (IP) or a group of hosts (IPs) rather than the whole subnet.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39911892
Hi.

Instructions were partially given, I hoped you would at least try out ntrights, so I could assist on Problems that already arose. You haven't and you haven't tried rwinsta either? OK...

Download ntrights from here http://www.dynawell.com/de/support-de/resource-kits/160-windows-resource-kits/resource-kit-for-windows-2000/362-ntrights , please note that it works on all Windows platforms, not only on win2000. Then please read the instructions on http://ss64.com/nt/ntrights.html - there you will see that the privilege SeRemoteInteractiveLogonRight is the one it's all about.
On an elevated command prompt, the command in order to grant someone that privilege would be
Ntrights.exe -u username +r SeRemoteInteractiveLogonRight

But you need to revoke ("-r") that privilege. So based on what group you have entitled to logon via RDP, you need to use
Ntrights.exe -u groupname -r SeRemoteInteractiveLogonRight

This can be done via windows' scheduler at the times you like. Right afterwards, you could disconnect all current sessions using rwinsta. rwinsta syntax is... no, please try it yourself first.
0
 

Author Comment

by:GlennRhodes
ID: 39914281
McKnife: I will give this a try. I checked out ntrights.exe, and this looks like a workable solution along with scheduler.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41706841
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question