Link to home
Start Free TrialLog in
Avatar of jimstrickland
jimstricklandFlag for United States of America

asked on

Restrict AD user to logging into a single VM

I have a consultant who needs VPN access to our internal network. However, once on that network, I only want him to be able to login to one specific machine, using remote desktop. I don't want him to have access to any other machines. How do I configure AD so he only gets access to the one machine once connected to the VPN? I tried Log On To under the Account tab in the Active Directory User. However, that seems to simply mean he can only login to the domain from that computer, which results in the VPN connection not even being established. I feel like I am missing a basic function.
ASKER CERTIFIED SOLUTION
Avatar of Shaun Kline
Shaun Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jimstrickland

ASKER

@Shaun Kline
I will have to look into whether I can restrict the VPN access to one IP address. I had not thought of that. We are using a Cisco Meraki MX100 for our security appliance.

@Rob Williams
I tried the "log on to" option in the AD user profile. Unfortunately, that option seems to disable VPN login for the user, and also acts more like restricting which computer the user can login to the AD domain from, rather than which computer they can login to.
If it disables VPN access then the VPN server (Meraki) must use Domain Authentication, or you have a TS Gateway.  You might have to grant access to the TS Gateway server and or AD server, though I don't recall ever having to do so.  You can definitely restrict access by IP within the VPN configuration, but may not be able to do so per user.

When you say they need to "log in to" I assumed rdp..  Is that the case?
@Rob Williams.

You are correct. They need to remote desktop into this one computer.
Interesting.  Surprised the AD setting doesn't work.  I have used in the past for that purpose, however I don't know that the client had a TS Gateway.  Do you have a TS Gateway?  If so, the initial connection is made to it and when approved it passes on to the specific machine.  If that is the case you might try an RDP connection directly to the IP of the machine to which they want to connect.
I don't have a TS Gateway. Even taking the VPN completely out of the picture, I can't remote desktop to that computer from another computer on the same subnet using the "Log On To" feature unless I include the name for the computer I am initiating the RDP session from in the list of Log On To computers. That is what is making me think that this feature is more restricting what computer I can login to the domain from, rather than restricting which computer I can login to. I hope I didn't muddy the waters too much. Below is a picture of the message I get when I try to RDP to that computer from another one on the same subnet.

User generated image
It turns out that creating a Layer 3 access rule in the Meraki security device was the best move. I was able to create a group policy restricting access to the one computer. Once the user connected via VPN the first time, I could apply the group policy, and he could only access that one computer. Thanks guys.
Thanks Jim.
Glad you were able to resolve.  Not 100% clear of how configured now, once group policy applied.  Is the LogOnTo option or the VPN config that is controlling access now.  Just curious for future reference.  Main reason I participate on EE, is I learn from every question  :-)
Thanks
Only the VPN config is controlling access now.
OK, thanks for letting me know.