How to block certain (admin) users to access the RDP server

sometimes Admins are lazy and abuse there rights to access clients or Terminal services. This is not such a great idea and at least for the central MS Terminal server there is a solution to force usage of the standart user.

  1. open a cmg with administrator rights and run gpedit.mscimage001
  2. Navigate to: Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment
  3. Search for the entry: “Deny logon through Remote Desktop Services”image002
  4. Hint: I did not directly block the group “Administrators” or “Domain Admins”. I greated a seperate Group called: G_RDP_NO-ADMIN-RDP
  5. Add zour desired group into to upcoming dialoque when double clickingimage003
  6. Search zour group and click okimage004
  7. after the last acknowledgement the local security group policy is updated.
  8. Now the User sees the following note:image005

Now is the specific group prohibited to access the RDP service. Never the less it is still posible to execute “run as” commands.

 

Sources:

https://technet.microsoft.com/en-us/library/cc778391(v=ws.10).aspx

http://serverfault.com/questions/598278/how-to-disable-rdp-access-for-administrator

https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/

 

Leave a Reply

Your email address will not be published. Required fields are marked *