Restrict Remote Desktop access to specific users to specific servers in a domain environment?
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
windows remote-desktop domain
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
add a comment |
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
windows remote-desktop domain
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
add a comment |
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
windows remote-desktop domain
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
windows remote-desktop domain
windows remote-desktop domain
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
edited Jan 2 '16 at 0:24
Ben N
29.8k1398145
29.8k1398145
asked Dec 28 '15 at 14:07
KippixKippix
33113
asked Dec 28 '15 at 14:07
KippixKippix
33113
asked Dec 28 '15 at 14:07
KippixKippix
33113
33113
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Restricted remote-desktop connection in domain enviroment for
domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny
logon through Remote Desktop Services" privilege.
To do this access a
group policy editor (either local to the server or from a OU) and set
this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
add a comment |
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
answered Jun 22 '16 at 17:38
Gary HGary H
111
add a comment |
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1018825%2frestrict-remote-desktop-access-to-specific-users-to-specific-servers-in-a-domain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Restricted remote-desktop connection in domain enviroment for
domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny
logon through Remote Desktop Services" privilege.
To do this access a
group policy editor (either local to the server or from a OU) and set
this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
add a comment |
Restricted remote-desktop connection in domain enviroment for
domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny
logon through Remote Desktop Services" privilege.
To do this access a
group policy editor (either local to the server or from a OU) and set
this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
add a comment |
Restricted remote-desktop connection in domain enviroment for
domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny
logon through Remote Desktop Services" privilege.
To do this access a
group policy editor (either local to the server or from a OU) and set
this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
Restricted remote-desktop connection in domain enviroment for
domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny
logon through Remote Desktop Services" privilege.
To do this access a
group policy editor (either local to the server or from a OU) and set
this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
edited Nov 22 '17 at 19:32
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
answered Dec 28 '15 at 14:16
Pimp Juice ITPimp Juice IT
24.9k114177
24.9k114177
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
add a comment |
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Thank you very much! That is precisely what i was looking for.
– Kippix
Dec 28 '15 at 14:25
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group.
– djsmiley2k
Jul 24 '16 at 13:48
add a comment |
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
answered Jun 22 '16 at 17:38
Gary HGary H
111
add a comment |
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
answered Jun 22 '16 at 17:38
Gary HGary H
111
add a comment |
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
answered Jun 22 '16 at 17:38
Gary HGary H
111
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
answered Jun 22 '16 at 17:38
Gary HGary H
111
answered Jun 22 '16 at 17:38
Gary HGary H
111
answered Jun 22 '16 at 17:38
Gary HGary H
111
answered Jun 22 '16 at 17:38
Gary HGary H
111
111
add a comment |
add a comment |
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
add a comment |
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
add a comment |
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
edited Jul 24 '16 at 13:40
djsmiley2k
5,13612336
5,13612336
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
answered Jul 21 '16 at 9:07
Medhat FawzyMedhat Fawzy
1
1
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
add a comment |
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
1
1
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door."
– Ramhound
Jul 21 '16 at 15:11
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1018825%2frestrict-remote-desktop-access-to-specific-users-to-specific-servers-in-a-domain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
