Restricting RDP access to all but two computers in a domain over VPN


I was asked to setup an account for third-party that is going to support their software running on two of our servers. Third-party vendor is going to VPN into our network (Cisco ASA), authenticate against AD and then RDP into application servers.

I've created AD user, added it to existing security group named "SG_VPN users" and then tried to add two servers as the only computers that particular user can login to (via Account->Log on to..."). Without computer names added to "Log on to.." I can establish VPN connection to corporate network without any problem, but once I add both servers, VPN cannot be established.

Could you please guys help me setting this up? Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Do the following below...
- add the user to the security group you created (which you have done)
- make sure that RDP access is enabled on the 2 servers
- add the group SG_VPN to the remote desktop users group on these 2 machine
- open the properties of this user account and change the Logon To... the two servers
- ensure that when the users are connected to the VPN they can ping the two servers they need access to (if the VPN is isolated then you need to make sure that these machines are added)
- have them remote into the machines


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inseekAuthor Commented:
Thanks, Will.

Forgot to mention that I have to restrict this vendor from accessing any other resources/computers in the network. All they need it to VPN into our network, RDP to their servers and do their admin work on it. They should not be able to browse any shares available for other domain users, login to other computers etc. At the same time, I don't want other users from SG_VPN to access all resources beyond their own computers. The way it is set right now, all users that belong to SG_VPN can VPN into corporate network and browse all resources as their personal logins do not restrict them login to any particular system. I am not concerned about company employees at this moment but I want to restrict vendors from accessing company resources beyond their scope of work.

We have multiple security groups already created and SG_VPN (and Domain Users group as well) is not a member of Remote Desktop users group (which is also empty, no users listed there).

This particular vendor is a member of "SG_APPS" security group that I've created for them, and this group is added to local Remote Users group.

RDP access is enabled on both servers as this is the way I access them myself. Vendor account is added to Remote Desktop Users locally as well.

As I said, once I select Logon To... machines for the vendor, I am unable to establish VPN.
Will SzymkowskiSenior Solution ArchitectCommented:
Specifying the Logon To.. and adding the servers should not affect you connecting to your VPN. This seems to be a VPN specific issue that has a dependency of some kind with Active Directory. Maybe try adding a domain controller to a test account and see if that works, maybe it is restricting VPN access because it cannot authenticate to the DC's

Regarding the network browsing you could create a very locked down GP then blocked network browsing... Create a OU and place the Vendor account in their. Now went the log onto the server the GP will apply
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.