[Webinar] Streamline your web hosting managementRegister Today

  • Status: Open
  • Priority: Medium
  • Security: Public
  • Views: 23
  • Last Modified:

RDP access with least privileges

What is the best way to give a user rights to RDP to a server with the least privileges? They would like to view directories and view the registry.  I have read several articles depicting using GPO or placing the user in the Remote Desktop Users group.

  • 2
  • 2
RobertSystem AdminCommented:
Not sure why they would need RDP access to view directories or the registry that can all be done remotely with out logging onto a server.
Assuming server is setup to allow remote registry.
As for viewing the folders I would Create a new share on the root of the drive and grant the read permissions to the share allowing them to view the directories remotely.

That said the process of adding the user to the remote desktop users group will grant them RDP access with out adding any significant additional privileges.
however to grant the "Least" amount of permissions you would need to setup a new group with stripped down rights on the computer and add the user to that group to restrict the rights.
As anyone with RDP access will gain at least basic user rights on the server.
DLH DLHAuthor Commented:
But I have 100 servers. Servers with more than one drive. I was hoping I could do this via a GPO or group.

What you are saying is that I would have to allow remote registry on all my servers including Domain Controllers. I am researching this but thinking I have to logon to each to allow this.

RDP will allow them to use the applications and create directories.
RobertSystem AdminCommented:
If you have a lot of server that they are going to need access to your still going to have a lot of work to do.
Adding them to the remote desktop users group will likely still not provide them access to all your directories specifically on shared directories that already have restrictive rights.

If you want to give them remote desktop access you can create a GPO and use the Computer config\policies\windows settings\security settings\restricted groups.
When you do you will get 2 different settings "Members of this group" and "Group is a member of"
The difference is "Members of this group" will remove all current members and make only the list you provide a member of that group.
Group is a member of will add a group to another group. (I would recommend using this one)
so create a new group with the members you want to grant rights to then add that group to the remote desktop users group using the "Group is a member of: Remote desktop users"

As for locking down permissions on each server Naveen has posted a few good articles on that but basically you will need to create a group and restrict what rights it has on your servers to limit their access to the things that you do not want them to be able to do that a normal user on the server has by default.
DLH DLHAuthor Commented:
After reading a few articles, please tell me if this thought is correct.

Adding the user or group to the "Built In" Remote Desktop Users gives them the remote log-on capability for all Domain Controllers in the Domain. If I want to give them the capability to RDP to a member server, I need to add them on the local server.

Join & Write a Comment

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now