Restrict Remote Desktop access to specific users to specific servers in a domain environment?

7

2

I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.

There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.

For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".

Please explain a good approach to this problem.

Kippix

Posted 2015-12-28T14:07:49.813

Reputation: 73

Answers

8

Restricted remote-desktop connection in domain enviroment for domain-user

Solution

To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege.

To do this access a group policy editor (either local to the server or from a OU) and set this privilege:

  1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.

  2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

  3. Find and double click "Deny logon through Remote Desktop Services"

  4. Add the user and / or the group that you would like to dny access.

  5. Click Ok.

  6. Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.

Source

Pimp Juice IT

Posted 2015-12-28T14:07:49.813

Reputation: 29 425

Thank you very much! That is precisely what i was looking for. – Kippix – 2015-12-28T14:25:29.123

Note, you'd maybe want to just deny everyone on RDP and then allow specific users by adding them to the remote desktop group. – djsmiley2k TMW – 2016-07-24T13:48:12.090

1

The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.

The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.

Gary H

Posted 2015-12-28T14:07:49.813

Reputation: 11

0

I don't know if this is the answer you are looking for but it maybe helpful .

  1. Go to Advanced Firewall settings - then inbound and search for the RDP
  2. From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
  3. Go to properties of RDP and choose to block the connection instead of allow

Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.

Medhat Fawzy

Posted 2015-12-28T14:07:49.813

Reputation: 1

1This does not achieve the user's desire to configure his infrastructure to allow User A access to only specific servers. This just solves any problems caused by a firewall, but honestly, it a solution that amounts to using a shovel to open the "security door." – Ramhound – 2016-07-21T15:11:33.523

Asked: 2015-12-28T14:07:49.813

Viewed: 61 607 times

Active: 2019-01-25T09:36:04.597