Solved

GPO to deny local user accounts from authenticating across the network

Posted on 2016-09-13
2
75 Views
Last Modified: 2016-09-21
We recently had an audit done and one of the findings was that local computer/server accounts could authenticate across the network. For instance I can RDP to a server and use the local admin account to logon to the server. I have tried a few GPO's and read a few articles but I cant seem to get this fixed. Any ideas would be appreciated (server 2008r2 DC).
0
Comment
Question by:bankadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41796793
You would want to set the User Rights Assignment settings in your domain so only Domain Users accounts exist in each of the appropriate right assignments. This would be in the COmputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node.

The only one you really need to worry about is the "Allow Logon through Remote Desktop Services" right, which is the only "network" authentication type local accounts can be assigned. Just make sure Authenticated Users is not set with that right in any GPOs that define the policy on your Domain.

Another thing you'll need to do is modify the Remote Desktop Users group on systems using Restricted Groups GPO settings, which are available as a video tutorial here:

When you set a restricted groups policy in a GPO, it will modify whichever group you set so it can only have the members defined by the GPO with highest precedence. Restricting membership to the Remote Desktop Users group on local computers will prevent users from accessing RDP without being given the correct user right or being a member of whichever group you set to be a member of the restricted group in Group Policy.
1
 

Author Closing Comment

by:bankadmin
ID: 41809375
that worked
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question