At the company I work for, we have about 75 computer users. We have a Microsoft Domain Controller in our server environment (MS Server 2012) with Active Directory.
When users need to install software, they are prompted in Windows for an Administrative username and password. This means that they need to call me and I can login to their computer remotely (using TeamViewer) and I then enter my credentials so as to install the software.
I wan't to continue having control over what users can install however, to make things simple, I want to have a security group in AD where I can temporarily add a user to give them administrative access. This access needs to be local only. No RDP access to our servers is allowed!
I found a few examples online which explained how to do this and I followed the instructions. (Sorry, I don't have the links to these sites anymore). Basically, what I did is below:
I have created my group in Active Directory with a user added for testing purposes 'Temp Login'.
...and I have created a GPO and I added my group added to the 'restricted users'.
When prompted for membership, I add 'Administrators'
Alright, so this method works almost exactly how I want. I can login to a laptop with TLogin (Temp Login account added earlier for testing purposes). And I can install software with no worries. There is however, only one problem.
I still have FULL access to use RDP for access to the servers!
How can I change my method so as to allow for LOCAL access only?