RDP access with least privileges

What is the best way to give a user rights to RDP to a server with the least privileges? They would like to view directories and view the registry.  I have read several articles depicting using GPO or placing the user in the Remote Desktop Users group.

DLH
DLH DLHAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
Not sure why they would need RDP access to view directories or the registry that can all be done remotely with out logging onto a server.
Assuming server is setup to allow remote registry.
As for viewing the folders I would Create a new share on the root of the drive and grant the read permissions to the share allowing them to view the directories remotely.

That said the process of adding the user to the remote desktop users group will grant them RDP access with out adding any significant additional privileges.
however to grant the "Least" amount of permissions you would need to setup a new group with stripped down rights on the computer and add the user to that group to restrict the rights.
As anyone with RDP access will gain at least basic user rights on the server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DLH DLHAuthor Commented:
But I have 100 servers. Servers with more than one drive. I was hoping I could do this via a GPO or group.

What you are saying is that I would have to allow remote registry on all my servers including Domain Controllers. I am researching this but thinking I have to logon to each to allow this.

RDP will allow them to use the applications and create directories.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

RobertSystem AdminCommented:
If you have a lot of server that they are going to need access to your still going to have a lot of work to do.
Adding them to the remote desktop users group will likely still not provide them access to all your directories specifically on shared directories that already have restrictive rights.

If you want to give them remote desktop access you can create a GPO and use the Computer config\policies\windows settings\security settings\restricted groups.
When you do you will get 2 different settings "Members of this group" and "Group is a member of"
The difference is "Members of this group" will remove all current members and make only the list you provide a member of that group.
Group is a member of will add a group to another group. (I would recommend using this one)
so create a new group with the members you want to grant rights to then add that group to the remote desktop users group using the "Group is a member of: Remote desktop users"

As for locking down permissions on each server Naveen has posted a few good articles on that but basically you will need to create a group and restrict what rights it has on your servers to limit their access to the things that you do not want them to be able to do that a normal user on the server has by default.
0
DLH DLHAuthor Commented:
After reading a few articles, please tell me if this thought is correct.

Adding the user or group to the "Built In" Remote Desktop Users gives them the remote log-on capability for all Domain Controllers in the Domain. If I want to give them the capability to RDP to a member server, I need to add them on the local server.
0
RobertSystem AdminCommented:
That is correct if you add them to the "Built In" group in AD it will allow them access to the DC's.
You would want to limit it to adding them to the LOCAL Remote desktop users group on the member servers (that is unless you want them to have rdp access on the DC)
0
Spike99On-Site IT TechnicianCommented:
I hope you are thinking of adding a group the local Remote Desktop Users on those servers and not individual user accounts: that could get difficult to manage with over 100 servers.

It would be better to create an AD group for those users who need this access.  Then, all you need to do is add that group to the LOCAL Remote Desktop Users group on each server.  Then, you don't have to go around to 100+ servers if you need to add or remove someone's access: you just need to remove their account from that AD group.
0
DLH DLHAuthor Commented:
I think what I will do is to create a group and give them access to a C drive share and remote registry permissions. It appears that as a user, they are able to access or run applications and create folders. It is basically the Info Security group that needs to be able to view whether or not there was a reg change or application installed for vulnerability management.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.