How to restrict Local Administrators from accessing RDP Windows 2003? 1

[1LUV1T]

Does anyone know if it's possible to restrict local admin accounts from accessing RDP in a windows 2k3 server environment?

I enabled RDP on Win2k3 server, chose "Select Remote Users" and added two Domain Admin accounts and removed Local Administrator. However the message at the top says "any members of the Administrator group can connect even if they are not listed." Is there some type of Local or Group Policy to override that?

Thx in advance.

 

[snootalope]

Don't think that's a configurable option via group policy. Only thing to do is go to each machine and manually set it.

Start|Programs|Administrative Tools| Terminal Server Configuration

You'll see the RDP-Tcp connection/protocol - just right clicky and hit the permissions tab. Set whoever you want. Thing is, you'll have to do this on every server that you want to restrict/block the local admins group.

 

[1LUV1T]

That worked. duh can't believe forgot about that.

Thanks!

 

[unclerico]

Good find snoot...also consider the Group Policy setting found in Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow logon through Terminal Services. Remove the Administrators group from here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[1LUV1T]

Hey unclerco, the options to Add User or Group and Remove buttons are grayed out (disabled) in GPEDIT.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow logon through Terminal Services.

I have tried those with both the local admin and domain admin and still disabled. How do I remove Administrators group from here?

 

[unclerico]

it is more than likely being set by a GPO at the Domain or OU level. Do you use the Group Policy Management Console? If so, run the Group Policy Results wizard and see what the effective Group Policy is for the system that you are on.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[1LUV1T]

Yes you are correct, my Default Domain Policy is set to allow only Remote Desktop Users and Administrators. What is the best way to exclude this particular server from this Local Policy within this GPO? I dont want to completely *exclude* the entire GPO because I would need every other configuration to stay intact.

Can I create a separate GPO just for this server and tell it to allow only Domain Admins for Terminal Services? I'm thinking the Default Domain Policy will still overwrite it?

 

[unclerico]

I'm not sure what your OU structure is like so I cannot comment on whether or not the Default Domain Policy is the best place to set the Allow logon through terminal services policy.

Your best bet is to do the following:
- remove this setting from the Default Domain Policy
- Create an OU for the servers that this setting is meant to affect and move the servers to this new OU (except for Domain Controllers)
- Create a new GPO with this setting and link it to the OU

If you need to you could leave the setting in the Default Domain Policy since the one applied to the OU will win.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[1LUV1T]

I will move this particular *computer* to its own OU.
My question is will the Default Domain Policy override the Terminal Server Policy i just created within that OU? (I always forget the order)

GPM is like this:
Forest: mydomain.com
> Domains
> mydomain.com
Default Domain Policy (rdp for administrators and remote desktop users)
> Terminal Server OU
> Terminal Server Policy (rdp for domain admins only)

Is DDP > TSP?

 

[unclerico]

Yes, it will override the OU GPO if it is set to No Override

Order of precedence is Local, Site, Domain, OU unless of course you have No Override and/or Block Inheritance set.

If I might ask, what does the rest of your OU structure look like?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[1LUV1T]

Hey thanks for your assistance with this.
The entire picture looks like this
*names changed to protect the innocent

Group Policy Management
- Forest: MyDomain.com
- Domains
- MyDomain.com
> Adobe GPO
> Default Domain Policy
> Drive Map GPO
> WSUS GPO
- New York OU
> Security GPO
- Sales
- Accounting (and so forth)
- Domain Controller OU
- Terminal Server OU
- Application Server OU
.... and then the rest of the default objects within GPM suh as WMI Filters, Sites, etc. etc.

I am going to stick the Terminal Server Policy int the Terminal Server OU and say No Inheritance from anything above (such as Default Domain Policy). This way it can have specific GPOs apply to it apart from the other domain-wide GPOs. So block inheritance, right?

 

[unclerico]

That depends again on whether or not you have your policies defined and linked at the Domain level set to No Override/Enabled. I, personally, would only have the Default Domain Policy set at the domain level with your typical settings defined such as password and account lockout policy, all other GPO's should be linked to downstream OU's. For instance:

mydomain.com (Default Domain Policy)
--My_Computers (Adobe, WSUS, Remote_Desktop GPO's)
---Laptops
---Desktops
---Member_Servers
---Terminal_Servers
--My_Users (Drive_Mapping, Security GPO's)
---Sales
---Accounting
---Marketing

Doing it like above will give you some great flexibility. You may or may not want to get as granular with your machine types and combine all desktops/laptops together and maintain seperate OU's with Member Servers and Terminal Servers in them. You can define the Terminal_Server GPO and link it to the My_Computers OU and have it only affect what is underneath it. You could also just link it to only the Member_Servers OU. You could, again, link it to the My_Computers OU and filter based on group membership of the machines. Just a thought.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)