Re: How can I prevent a TS user from TS or RDP to another server?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/30/04
- Previous message: algarveroot: "Re: NTLDR is missing"
- In reply to: John Smith: "Re: How can I prevent a TS user from TS or RDP to another server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 21:35:29 -0700
And why do they need to be a Domain Admin in order to
do things on that one server ?
If in fact they need Domain Admin it would be because
they also need to do things on other servers, or to the
definitions of your domain at the controllers.
If that is so, it would seem your concern about them going
around in your domain is ill-founded. You have given them
Domain Admin so that they can do that.
On the other hand, if they only need to be local administrators
on the one server, then you can use standard methods of the
domain user account given them, that is an admin on that one
server, to control where that domain user account may be used.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "John Smith" <someone@microsoft.com> wrote in message news:6JiOc.16033$DZ.1345900@twister.tampabay.rr.com... > Sorry, let me try to make it clear... > > These people are contractors/vendors (ie. Cisco Engineers hired to > troubleshoot Win2KSVR box with CallManager installaed on it), the VPN into > my workplace and then they can TS or RDP to the specific designated server. > So, I just want them to be able to TS or RDP to this box only and if they > try to open a TS or RDP to another box it would be restricted. > The problem is that they have to be Domain Admins in order to manage this > box. So, is there any way to actually include this user on a OU; let's say > "Vendors" and manage the Terminal Server connection or Remote Desktop > Connection via a GPO setting or so? > > Thank you very much.... > > Hector > > > > > and > "Colin Nash [MVP]" <cnash x@x mvps.org> wrote in message > news:e1hc0obdEHA.244@TK2MSFTNGP12.phx.gbl... > > So he's a Domain Admin but you don't want him administering your domain? > > Maybe I don't understand... > > > > > > "GX" <GX@DOMAIN.com> wrote in message > > news:9CdOc.333$Hu2.108@tornado.tampabay.rr.com... > > > Big Picture > > > > > > How can I prevent a TS user from TS or RDP to another server? > > > > > > > > > > > > Scenario: > > > > > > Users (Vendors) log into my organization via VPN. They are setup on the > > > VPN > > > under a group which has only access to one machine and back via RDP. > (i.e. > > > Microsoft Group has access to the Microsoft Server Box, now we setup > John > > > on > > > the Microsoft group and he has only RDP access to the Win2KSVR). In > order > > > for them to get into the Win2KSVR they are also setup on the network as > > > jdoe > > > (Domain Admins) and that's the way he log into the Win2KSVR. > > > > > > > > > > > > Concern: > > > > > > John VPN into organization and RDP to Win2KSVR did what he needed to do > > > and > > > opened the network neighborhood and saw all the servers we have. Now he > > > wants to browse and log into the boxes he has no need in loging in. > > > > > > > > > > > > Question: > > > > > > How can I prevent a user from login into another machine via TS or RDP > > > when > > > they are login into a machine via TS or RDP? > > > > > > > > > > > > > >
- Previous message: algarveroot: "Re: NTLDR is missing"
- In reply to: John Smith: "Re: How can I prevent a TS user from TS or RDP to another server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
