[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

GPO to deny local user accounts from authenticating across the network

Posted on 2016-09-13
2
Medium Priority
?
81 Views
Last Modified: 2016-09-21
We recently had an audit done and one of the findings was that local computer/server accounts could authenticate across the network. For instance I can RDP to a server and use the local admin account to logon to the server. I have tried a few GPO's and read a few articles but I cant seem to get this fixed. Any ideas would be appreciated (server 2008r2 DC).
0
Comment
Question by:bankadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 2000 total points
ID: 41796793
You would want to set the User Rights Assignment settings in your domain so only Domain Users accounts exist in each of the appropriate right assignments. This would be in the COmputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node.

The only one you really need to worry about is the "Allow Logon through Remote Desktop Services" right, which is the only "network" authentication type local accounts can be assigned. Just make sure Authenticated Users is not set with that right in any GPOs that define the policy on your Domain.

Another thing you'll need to do is modify the Remote Desktop Users group on systems using Restricted Groups GPO settings, which are available as a video tutorial here:

When you set a restricted groups policy in a GPO, it will modify whichever group you set so it can only have the members defined by the GPO with highest precedence. Restricting membership to the Remote Desktop Users group on local computers will prevent users from accessing RDP without being given the correct user right or being a member of whichever group you set to be a member of the restricted group in Group Policy.
1
 

Author Closing Comment

by:bankadmin
ID: 41809375
that worked
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question