Re: Logon Using Terminal Services GPO


"Mathieu CHATEAU" <gollum123@xxxxxxx> wrote in message
news:%23RIV5W%233HHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
You can create a GPO that only apply to this DC.
Use GPMC if not already.
Add a security filtering on the GPO, so it apply only to this DC.

Take care, being admin of DC means admin of the Domain. They may change
your GPO to get full access anyway

Actually being in Administrators does not mean they are admin
of the domain, they need to be in Domain Admins for that.
However, it does mean they could easily elevate their account
to Domain Admins membership.

To poster:
Limiting them to RDP login on one DC, as Mathieu has indicated via
a GPO impacting only the intended DC, will not really gain you much.
Once on there they only need to open up any of a number of remote
management tools and set the focus to DC of choice.
If you do not have trust then do not extend trust.
There is no middle ground.

Roger

"Mathew V" <mvlandys@xxxxxxxxx> wrote in message
news:1187247447.765096.311480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All,
I've searching high and low for an answer but it doesn't look like
anyone has asked this question before. The company I work for has 5
domain controllers (all in separate locations - Aus, UK, India etc).
The company's main IT Dept (who I work for) admins all these servers,
though recently we have employed some systems admin contractors to
look after the AD servers in India.

The server is in a rack with no monitor attached so the only way for
these guys to log in is via RDP/Terminal Services. I have added their
user account in "Domain Controller Security Policy" -> "User Rights
Assignment" -> "Allow log on through Terminal Services".

So now they can logon remotely and administer the server (check event
logs, create users etc). I have also given them the right to shut down
the server, as from time to time they may need to bounce the server
for hardware upgrades etc.

Though I do not want them having RDP access or shutdown other servers
within the domain. Unfortunately the GPOs that I've edited give these
users those permissions throughout all domain controllers.

Is there a way to specify which domain controllers I want these users
to be able to RDP & shutdown.




.

Relevant Pages

  • Re: Secure host newbie - fun - humm
    ... decision, as the admin, whether or not to take down the server. ... Listen, as a security specialist, I *know* that every single box that I, ... some level of risk and that there is no "100% I'm secure" level. ...
    (Security-Basics)
  • Re: WTS 2003: Unable to login to WTS even as administrator
    ... Please check every GPO. ... Admin and start a TS-Session from the Server to itself. ... also for a Setting that denys normal User a logon localy at the DC. ...
    (microsoft.public.windows.terminal_services)
  • Re: Server Operator Role
    ... domain admin and then keep in mind that a domain admin can get Enterprise Admin ... Joe Richards Microsoft MVP Windows Server Directory Services ... The server operator role allows ... the group cannot run the TS Policy. ...
    (microsoft.public.win2000.active_directory)
  • Re: Two Server Setup Question.
    ... That external trust factor thing ... get your admin domain up first. ... Microsoft Certified Trainer, Microsoft MVP - Windows ... Microsoft Windows & SQL Server Advisory Panel Member ...
    (microsoft.public.windows.server.setup)
  • Re: Two Server Setup Question.
    ... That external trust factor ... get your admin domain up first. ... Microsoft Certified Trainer, Microsoft MVP - Windows ... Microsoft Windows & SQL Server Advisory Panel Member ...
    (microsoft.public.windows.server.setup)