Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stop Administrator from loggin in at client machines

Status
Not open for further replies.

PAffiliates

IS-IT--Management
Sep 6, 2006
7
US
Hello, My question is this. I am wondering how I can setup up my Windows 2k3 Server so the Administrator can only log in at the server and the clients cannot log in at the server. Another way to say this would be if the Administrator (user) went to a client machine, he would be denied login to the domain. If user x was standing at the server, he would not be able to use his login and password to gain access. Any help would be greatly appreciated!!!

P
 
I wouldnt recommend restricting the actual domain admin account(not sure if you even can this way). I would create another account possibly with the same admin permissions, right click the User in AD , under the Account tab is a 'Log on to' button. Assigning computers in this list guaranteess that domain account can login only on those computers.


for the other way around, under the GPO effecting that Server, you can go under Computer Configuration/Security Settings/Local Policies/User Rights
Assignments/ Log on Locally - Setting.
Remove any user groups that you dont want accessing the server, however I dont believe this effects RDP, that would be the 'Acesss this comptuer from the network' setting, becarefull of these GPO's as it's possible to giveyourself a lot of headache by accidently locking yourself out of a server.
 
Thankfully I have a test server that I am attempting this on...I had orginally I went under Domain Controller Policy and selected local security policy and added Administrator under deny access from the network and added the groups of users under deny logon locally, but this seemed to totally foul up the system...I couldn't log in as a client from the client machine, but the Administrator login worked...If I use your first method under the user accounts tab in AD, if I deny login to the server (as the computer) won't that cause an issue with them logging on to the domain? It doesn't seem like this operation should be too complex...Maybe I'm making it too difficult, but after the results I got from my first attempt, I guess it's made me a little gun shy...
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top