GPO to deny local user accounts from authenticating across the network

We recently had an audit done and one of the findings was that local computer/server accounts could authenticate across the network. For instance I can RDP to a server and use the local admin account to logon to the server. I have tried a few GPO's and read a few articles but I cant seem to get this fixed. Any ideas would be appreciated (server 2008r2 DC).
bankadminAsked:
Who is Participating?
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
You would want to set the User Rights Assignment settings in your domain so only Domain Users accounts exist in each of the appropriate right assignments. This would be in the COmputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node.

The only one you really need to worry about is the "Allow Logon through Remote Desktop Services" right, which is the only "network" authentication type local accounts can be assigned. Just make sure Authenticated Users is not set with that right in any GPOs that define the policy on your Domain.

Another thing you'll need to do is modify the Remote Desktop Users group on systems using Restricted Groups GPO settings, which are available as a video tutorial here:

When you set a restricted groups policy in a GPO, it will modify whichever group you set so it can only have the members defined by the GPO with highest precedence. Restricting membership to the Remote Desktop Users group on local computers will prevent users from accessing RDP without being given the correct user right or being a member of whichever group you set to be a member of the restricted group in Group Policy.
1
 
bankadminAuthor Commented:
that worked
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.