Restrict AD user to logging into a single VM

I have a consultant who needs VPN access to our internal network. However, once on that network, I only want him to be able to login to one specific machine, using remote desktop. I don't want him to have access to any other machines. How do I configure AD so he only gets access to the one machine once connected to the VPN? I tried Log On To under the Account tab in the Active Directory User. However, that seems to simply mean he can only login to the domain from that computer, which results in the VPN connection not even being established. I feel like I am missing a basic function.
jimstricklandAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun KlineLead Software EngineerCommented:
This would seem like something that is done in the VPN setup, where the user can access only one IP address when they log in to the VPN. From there, the user account they use to log into that computer should be granted only minimal permissions on that computer and no permissions to any other computer.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
In AD under the user's profile, on the "Account" tab you can select "log on to" and choose what computer/s the user can access.  This affects local use and VPN.

The default is "all".
0
jimstricklandAuthor Commented:
@Shaun Kline
I will have to look into whether I can restrict the VPN access to one IP address. I had not thought of that. We are using a Cisco Meraki MX100 for our security appliance.

@Rob Williams
I tried the "log on to" option in the AD user profile. Unfortunately, that option seems to disable VPN login for the user, and also acts more like restricting which computer the user can login to the AD domain from, rather than which computer they can login to.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Rob WilliamsCommented:
If it disables VPN access then the VPN server (Meraki) must use Domain Authentication, or you have a TS Gateway.  You might have to grant access to the TS Gateway server and or AD server, though I don't recall ever having to do so.  You can definitely restrict access by IP within the VPN configuration, but may not be able to do so per user.

When you say they need to "log in to" I assumed rdp..  Is that the case?
0
jimstricklandAuthor Commented:
@Rob Williams.

You are correct. They need to remote desktop into this one computer.
0
Rob WilliamsCommented:
Interesting.  Surprised the AD setting doesn't work.  I have used in the past for that purpose, however I don't know that the client had a TS Gateway.  Do you have a TS Gateway?  If so, the initial connection is made to it and when approved it passes on to the specific machine.  If that is the case you might try an RDP connection directly to the IP of the machine to which they want to connect.
0
jimstricklandAuthor Commented:
I don't have a TS Gateway. Even taking the VPN completely out of the picture, I can't remote desktop to that computer from another computer on the same subnet using the "Log On To" feature unless I include the name for the computer I am initiating the RDP session from in the list of Log On To computers. That is what is making me think that this feature is more restricting what computer I can login to the domain from, rather than restricting which computer I can login to. I hope I didn't muddy the waters too much. Below is a picture of the message I get when I try to RDP to that computer from another one on the same subnet.

Log On To error message
0
jimstricklandAuthor Commented:
It turns out that creating a Layer 3 access rule in the Meraki security device was the best move. I was able to create a group policy restricting access to the one computer. Once the user connected via VPN the first time, I could apply the group policy, and he could only access that one computer. Thanks guys.
0
Rob WilliamsCommented:
Thanks Jim.
Glad you were able to resolve.  Not 100% clear of how configured now, once group policy applied.  Is the LogOnTo option or the VPN config that is controlling access now.  Just curious for future reference.  Main reason I participate on EE, is I learn from every question  :-)
Thanks
0
jimstricklandAuthor Commented:
Only the VPN config is controlling access now.
0
Rob WilliamsCommented:
OK, thanks for letting me know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.