This is my scenario. I have two servers. First one is the domain controller. 2nd one is the backup domain controller. Both are windows 2008 R2. I want to setup user permissions so that say userX in my active directory can remote desktop to SERVER 1 but not the SERVER 2. At the moment when I added the userX to the "remote desktop Users" group, userX can access both SERVER1 and SERVER2.
How can I stop this from happening and only allow the userX on SERVER1.
Thanks in advance.
You can use Allow, Deny methods but you have to do correct scoping in your GPO.
Instead of adding in remote desktop users group, do it by a GPO (enable remote access) and allow and deny as per the need.
Do remember the following. 1. Do not deny all or do not allow all 2. Do not move domain controllers out of the DOMAIN CONTROLLERS OU. 3. Restrict GPOs wherever needed by using filter so that GPOs are applied to only these DCs.
You may try this in your test lab before putting into production as it involves accessing of domain controllers.
Generally, it is good to maintain minimal access to the domain controllers. Use Adminpak/RSAT tools instead.
