RE: Restrict Windows login to certain IPs/hosts for certain domain accounts?

Sure you can create an account and put it in the local Admins group in
AD and then in the Properties of that account list the servers you want
it to login to

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of christopher@xxxxxxxxxxx
Sent: Friday, April 27, 2007 3:41 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Restrict Windows login to certain IPs/hosts for certain domain
accounts?

Hello to all,


I'm working with a particular client who would like to use a certain

domain account with local admin rights for config and other monitoring

via BMC, but would like to restrict that account so that it can only

log on to other systems from a single IP or a small range of IPs

(i.e., the monitoring servers), so that its local admin rights are not

used/abused by others. The client has Windows 2000 and 2003 servers,

and mostly 2000 and XP workstations. The client is using Cisco

Security Agent on the servers, so if that can factor in, that would be

fine, too. Essentially, we need an account with local admin that can

do anything on those systems for the monitoring but can't mess with AD

and can't be used from other locations by other users who might know

the password (or attackers who have guessed the password).


Is this possible? Would simply restricting local logon/TS logon via

user rights be enough? Anyone have ideas that might be helpful? I'm

wide open to suggestions; the Windows guys here are pretty good, but

even they aren't sure how to approach this. Thanks for any assistance.


Sincerely,

Chris Mallow

-----------------------------------------
***********************
Confidentiality Notice:
This message and any attachment(s) transmitted with it are the
property of Cole Taylor Bank and/or its affiliates and solely for
the use of the individual or entity to which this message is
addressed and contains information that is confidential. If the
reader of this message is not the intended recipient, you are
hereby notified that any review, retransmission, disclosure,
copying, distribution or the taking of any action in reliance on
the contents of this communication by persons or entities other
than the intended recipient is strictly prohibited. If you have
received this email in error, please contact the sender and delete
the material from any computer.
***********************


Relevant Pages

  • SUMMARY: ping-only account
    ... Monitoring is done by remote applications and they just watch ... > item they do is to log on to a system and do a ping. ... > restricted shell, account. ... > servers, the task is to one thing: ...
    (SunManagers)
  • ping-only account
    ... item they do is to log on to a system and do a ping. ... restricted shell, account. ... The problem is the high turnover of our monitoring personnel and the ... servers, the task is to one thing: ...
    (SunManagers)
  • Re: Domain Profiles Borked - Cant Grant Admin Rights - HELP!!!
    ... > status of their account. ... local Admin rights were given to ... > afflicted machine and give them local Admin rights, ... the SID of your users is no longer the same as it was. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Changing Admin PW on a large number of servers
    ... The problem with that approach is that it assumes all the servers are ... Do you really need the Admin user account? ... Rename the local admin account to something else. ...
    (microsoft.public.windows.server.security)
  • Restrict Windows login to certain IPs/hosts for certain domain accounts?
    ... domain account with local admin rights for config and other monitoring ...
    (Focus-Microsoft)