Terminal Server: How to deny users from logging in 1

[hydruid]

I have 2 groups and 2 servers. Currently both groups log into both servers.

I want group1 to only log into serverA and group2 to only log into serverB.

I want to set this up using group policy.

I have researched and researched but can't find a solution.

Thank you in advance!

 

[Stevehewitt]

To logon to a server via Remote Desktop requires membership to the "Remote Desktop Users" group.

There is an option under the Security Options (or is it Policy?) part of a GPO, however for that size environment I would just do it manually.

Create a "ServerA Remote Access" group and a "ServerB Remote Access" group in AD, and on the servers make the respective domain group a member of the local "Remote Desktop Users". Then you can change who can logon to what via domain group memberships in AD.



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[hydruid]

both servers are in the same domain and setting up 2 domains is not an option.

 

[Lemon13]

I want group1 to only log into serverA and group2 to only log into serverB"
so do like Stevehewitt recommended, ad group1 to the local remote desktop users group on server a and group2 on server b

"both servers are in the same domain and setting up 2 domains is not an option." ????

 

[dberg35]

You don't need to use GP just keep both groups and set each one to access only that server. Or the other way is in the user permissions. There is a tab called account and you can select what pc's a user can logon to...key word here is pc's. If you use that option you will need to specify all pc's the user can access including the TS Server.

 

[thalligan]

Stevehewitt has the right answer.

Since you indicate that users are already member of two Domain Groups "Currently both groups log into both servers", assuming you mean AD groups and not a bunch of people

All you need to to do is add those Domain groups to the Built in local group "Remote Desktop Users" on each system. Users of those groups will now be able to access the system via RDP.

Assuming none of your users gain Local Administrator privilege through membership in some other AD group (In which case that get on anyway) this should do the trick.

 

[Rockstar101]

Stevehewitt and Thalligan are correct. "When they say Domain Groups they just mean groups, not groups on different domains"

This would be the simplest way and most manageable which you must always keep in mind when making any changes.

 

[hydruid]

Ok I see what Stevehewitt meant and that does make sense. When people were saying "system" it confused me. Which is my fault because I've been sick with the flu, yuck.

Let me recap to make sure I understand. On ServerA add users from the AD OU group1 to login and no one else. Do the same for ServerB. Is this correct?

 

[hydruid]

and that is done through the remote tab in the system properties, wanted to make sure to add that to not confuse anyone.

 

[Rockstar101]

yes, so remote or log into the console for ServerA. Then add GroupA to the "local remote desktop users" group on ServerA.

This will allow only users in that group to access the server remotely. Keep in mind anyone belonging to the local Admin group has the abilitly to log in remotely by default.

Do the same for ServerB and your done. Hope this helps.

 

[hydruid]

It worked beautifully. Thank you!