how to secure domain server

[jlh1]

We have 7 2008 r2 Active directy domain server one in each remote site. They are not read only domain controllers. I would like to limit who can login to the console to only the domain admin users.

I have tried to use the default domain controller policy. I modified the “deny logon locally” policy and added a test group. Once the policy updated too all the controllers I tested the new setup. When the users in the test group tried to login to their locale systems using their domain credentials they were unable. When I removed the test group from the GPO they were able to login to their systems again.
How can I lock down the remote domain controllers so that only the Domain admins can login to the console?

 

[kmcferrin]

Out of the box you cannot log onto a Windows 2008 R2 server unless you are a member of the Administrator group or have specifically been given the "Allow Log on Locally" right in the security policy and added. On a domain controller by default that is the Administrators, Account Operators, Server Operators, Print Operators, and Backup Operators groups. All you should have to do is remove the unnecessary users/groups from that policy and those groups.

I wouldn't recommend modifying any of the default policies (Default Domain Policy, Default Domain Controller Policy) as this can have unintended consequences. Make a copy of the policy and modify it instead.



________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator