Solved

Login Time Restriction for Remote Desktop Users

Posted on 2014-03-02
12
679 Views
Last Modified: 2016-07-15
We need to automate the denial of logging into a terminal server (RDP sessions only) - not AD Login because users access their Exchange server which is in this Windows domain.  For example, we tried restricting AD login times, but their email clients on their smart phones started complaining. So we just want to block them from logging into the terminal server only during off hours so we can properly do backups, updates, etc.
0
Comment
Question by:GlennRhodes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39898695
Create a GPO to restrict logon hours for a group of users and apply it to your Terminal Servers.

MO
0
 

Author Comment

by:GlennRhodes
ID: 39898746
We have an OU in already place with no  type of login restrictions, - what policy restricts only their ability to login to the terminal server and not restrict Active Directory for their Exchange access?

As a note: I wanted to test restricting RDP login into our Terminal Server, so went into ADCU last week, went to properties of a user and restricted login time access to 8-5 M-F, but soon got the call that his email stopped working that night. Had to put it back. So I cant restrict AD login as a way to restrict TS login.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39899681
Hi.

You could use the local policy to set/reset logon privileges on a schedule. Also you would have to use rwinsta.exe to log off users at that time. The local privileges can be modified using ntrights.exe from the resource kit.

Need further instructions?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 37

Expert Comment

by:bbao
ID: 39900175
another approache is via firewall if the TS is located at a different subnet of RDP clients. of course, the firewall should be able apply rules based on given time restrictions.
0
 

Author Comment

by:GlennRhodes
ID: 39911555
bbao: We need more granular approach to denying RDP logons. Our Watchguard firewall is good, but not good enough to do that because of the various servers we have on the same subnet.
0
 

Author Comment

by:GlennRhodes
ID: 39911562
McKnife: If you have instructions on this, yes it would be appreciated to see some detail on what you are describing.  Isn't rwinsta.exe used to just reset a session? We would want to deny RDP logons during specified times, but not kill AD logins.
 Wouldn't this be a nice utility for Sys Admins to run along side ADUC's ? Seems like Microsoft left a window of opportunity in their software for someone to fill..
0
 
LVL 37

Expert Comment

by:bbao
ID: 39911565
> Our Watchguard firewall is good,
> the various servers we have on the same subnet.

if your firewall does support time based ACL, that should work as the control can be against a single host (IP) or a group of hosts (IPs) rather than the whole subnet.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39911892
Hi.

Instructions were partially given, I hoped you would at least try out ntrights, so I could assist on Problems that already arose. You haven't and you haven't tried rwinsta either? OK...

Download ntrights from here http://www.dynawell.com/de/support-de/resource-kits/160-windows-resource-kits/resource-kit-for-windows-2000/362-ntrights , please note that it works on all Windows platforms, not only on win2000. Then please read the instructions on http://ss64.com/nt/ntrights.html - there you will see that the privilege SeRemoteInteractiveLogonRight is the one it's all about.
On an elevated command prompt, the command in order to grant someone that privilege would be
Ntrights.exe -u username +r SeRemoteInteractiveLogonRight

But you need to revoke ("-r") that privilege. So based on what group you have entitled to logon via RDP, you need to use
Ntrights.exe -u groupname -r SeRemoteInteractiveLogonRight

This can be done via windows' scheduler at the times you like. Right afterwards, you could disconnect all current sessions using rwinsta. rwinsta syntax is... no, please try it yourself first.
0
 

Author Comment

by:GlennRhodes
ID: 39914281
McKnife: I will give this a try. I checked out ntrights.exe, and this looks like a workable solution along with scheduler.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41706841
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question