Easy way to restrict access to only two servers

[DanielUK]

Hi,

I've recently added two new servers to our domain that house our order processing software and it's backup.

As part of our support we allow RDP access to the software providers. At the moment I have their domain account set up as a default domain admin so they can go between both servers. However, I realise that this gives them access to the rest of the domain. What's the easiest way to restrict their account to only those two servers?

Thanks

Dan

 

[juniper911]

First of all do they need to be in domain admin as that gives them a lot of rights/access.

In my opinion, I would create a domain local group, make that group part of the local administrator group on each server, this should be enough to allow them to RDP to each server and do their work. It they cant access it, then you may need to add the group to remote desktop users group on each server.

as with most things, you prob can streamline it.

 

[DanielUK]

Thanks, I'll give that a go.

Dan

 

[DanielUK]

OK, sorry to be a bit dense here but how do I make a domain local group part of the local administrator group on each server?

I've created a domain local group called "Developers". I've logged into one of the servers in question and I'm looking at the "Local Users and Groups" under Computer Management.

Am I to assume that the "Administrators" group listed here is the one relating to the local server i.e. this is what I add the Developers group to? It's the bit that says "Administrators have complete and unrestricted access to the computer/domain" that has phased me...I don't want complete and unrestricted access to the domain, only the servers in question.

Thanks

Dan

 

[chipk]

I'm sorry, but that answer is incorrect. There is a group on the server that is specifically designed for granting RDP permissions called Remote Desktop Users.

Secondly, the preferred method in a domain environment is that Users go in Global Groups, Global Groups go in Domain Local Groups, and Domain Local Groups go in DACLs. You cannot nest a domain local group in a local group (maybe unless you're in Native mode, I can't remember off the top of my head).

In answer to your specific scenario, I would do the following:

1) Create a *global* group for your vendors.
2) Take your vendors out of the domain admins or domain local admins group and make them regular users or guests
3) Add the previously created vendor global group to two groups on each of the local servers: Remote Desktop Users, and Administrators (if those priveleges are necessary).

 

[DanielUK]

Thanks, OK I'll look at that too.

They do need *local* admin priveleges so I'm wondering if I add them to the local server Administrators group, does that keep them as admin only on the local server? This may sound like an obvious question but if I read the default desription regrding "complete and unrestricted access to the computer/domain" I get worried!

Thanks

Dan