none
Disallow users in the Administrators group from accessing other computers through Remote Desktop

    Question

  • Forgive me for my lack of experience with Active Directory and Group Policy. Our school system uses Active Directory to place our managed computers on a domain. I am the specialized Help Desk Support technician for the district but we have "traveling" site technicians that go out to the schools to do more extensive troubleshooting. In order to maintain effeciency within our district, I would like to have remote desktop access to troubleshoot issues that can be resolved remotely and "free up" site technicians to address issues that are more severe.

    We are able to setup a specified administrator account Help Desk and then activate Remote Desktop on the all managed computers through Group Policy. The only problem we are running into is to disallow users in the Administrators user group from having the ability to use Remote Desktop. We do not want to change the users in that group only disallow them from one aspect of terminal services which is Remote Desktop.
    Does anyone know how to do this through Group Policy?
    Thanks nancy
    Monday, February 22, 2010 9:38 PM

Answers

  • Hi there,

    No, onfortunately you cannot. However, I don't know why you would want that. If the users that are in the Administrators group shouldn't be able to administer the machine, you should remove them from the Administrators group.

    Hope this helps.

    Regards,

    Stefan Hazenbroek
    Monday, February 22, 2010 10:02 PM
  • Hi Nancy

    Which accounts do you have that are local Admins but shouldn't have the Remote Desktop right?

    If you can identify the users who should NOT have access to use Remote Desktop then there is a way. There is a policy called "Deny logon through Terminal Services" (under Windows Settings/Security Settings/Local Policies/User Rights Assignment) that could be applied.

    Create an AD group (if not already one) and apply the setting to that group. You will need to make sure that any of your site technicians are not a member of that group, since 'Deny' overrides the right they would have through the Administrators group.

    Hope this helps,
    Rohan.
    • Proposed as answer by Roly Dee Tuesday, February 23, 2010 3:48 PM
    • Marked as answer by Joson ZhouModerator Tuesday, March 02, 2010 9:52 AM
    Tuesday, February 23, 2010 3:46 PM
  • There are many ways, from undoing the setting in the GPO to creating another one removing the deny in another setting.

    As Administrators & domain admins, you can make it only difficult at best to deny them any priviledge. A better approach would be to take those "important users" and "delegate or grant" them the specific rights they need to have to support the operations. Then take them out of the domain admins role and they'll be left with only the rights and permissions they need. That way you needn't worry about taking away rights they don't need and shouldn't have.


    /kj
    Wednesday, February 24, 2010 4:22 PM
  • First, do you mean the "Domain Admins" group, or the builtin domain "Administrators" group? In either case, members of these groups must be trusted, because they can do anything. If you remove them from a group, they can add themselves. If you remove their permissions on an object they can seize ownership of the object and grant themselves the permissions. Worse, if they become infected with a virus, the virus has administrator privileges. By default, the Domain Admins group is added to the local Administrators group on all computers joined to the domain, so members of this group have administrator privileges on all computers.

    I work with many schools and your situation is very common. In fact most small organizations have many members of Domain Admins. But most large organizations have very few. I know of companies with hundreds of thousands of users, but less then 10 Domain Admins. They have more than one in case of catastrophe, but the job of these people is to make sure the "real" administrators (at the department and OU level) can do their jobs. They delegate the permissions the real administrators need to do their job, without making them members of any Administrator groups. The members of "Domain Admins" seldom logon with their Administrator accounts, because it is too dangerous.

    The best solution is to delegate the permissions needed to other groups. These links describe delegation of control:

    http://support.microsoft.com/kb/315676

    http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

    You may need to give these users local administrator privileges on the computers, perhaps to setup local printers. Create a domain group for this purpose and make this group a member of the local Administrators group on all computers. You can use Restricted Groups to enforce membership in the local Administrators group. These links describe Restricted Groups.

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

    http://support.microsoft.com/kb/279301

    Richard Mueller


    MVP ADSI
    Thursday, February 25, 2010 1:55 AM

All replies

  • Hi there,

    No, onfortunately you cannot. However, I don't know why you would want that. If the users that are in the Administrators group shouldn't be able to administer the machine, you should remove them from the Administrators group.

    Hope this helps.

    Regards,

    Stefan Hazenbroek
    Monday, February 22, 2010 10:02 PM
  • Hi Nancy

    Which accounts do you have that are local Admins but shouldn't have the Remote Desktop right?

    If you can identify the users who should NOT have access to use Remote Desktop then there is a way. There is a policy called "Deny logon through Terminal Services" (under Windows Settings/Security Settings/Local Policies/User Rights Assignment) that could be applied.

    Create an AD group (if not already one) and apply the setting to that group. You will need to make sure that any of your site technicians are not a member of that group, since 'Deny' overrides the right they would have through the Administrators group.

    Hope this helps,
    Rohan.
    • Proposed as answer by Roly Dee Tuesday, February 23, 2010 3:48 PM
    • Marked as answer by Joson ZhouModerator Tuesday, March 02, 2010 9:52 AM
    Tuesday, February 23, 2010 3:46 PM
  • However, note that anything you do to members of the Administrators group, such as making them members of a group that denies some privilege, they can undo. Administrators must always be trusted. That's why membership should be limited. If possible, make these users members of another group with just the permissions they need.

    Richard Mueller
    MVP ADSI
    Tuesday, February 23, 2010 11:30 PM
  • I feel that I did not explain which users are in the Administrator group....again, we are a school district...all principals, asst. principals, superintendents, administrative staff, support staff including technicians, and most teachers are setup in administrative group on the Active Directory domain in order for our "important" users to be able to setup printers, download much needed material and information from the web, change their internet connection they have to be setup as administrators. This brings us to the problem; we cannot take these users out of the administrator user group they have to maintain their permissions as administrators. We have created a specific administrator account Help Desk to be the specialized user account that has Remote Desktop access ONLY. We need to setup in Group Policy for only that Help Desk user account to have Remote Desktop access and "block" any other member of the Administrator group from having that ability....We have to do this because of security reasons....protection from other users from accessing sensitive student information. I, as the Help Desk user, am bonded to discretion and privacy no other user should get too adventurous and access let's say a principal's computer by Remoting into that computer.....

    I know how to take out the Administrator user group from the "User Rights Assignment" security settings in Administrative Tools on a local, stand alone image and only allowing Help Desk user to have Remote Desktop access....how can I transfer that information on a Group Policy format within Active Directory?

    If this cannot be done is there another way that we can do this?
    Thanks Nancy

    Wednesday, February 24, 2010 3:18 PM
  • How can they "undo" that denied priviledge? Thanks Nancy
    Wednesday, February 24, 2010 3:20 PM
  • There are many ways, from undoing the setting in the GPO to creating another one removing the deny in another setting.

    As Administrators & domain admins, you can make it only difficult at best to deny them any priviledge. A better approach would be to take those "important users" and "delegate or grant" them the specific rights they need to have to support the operations. Then take them out of the domain admins role and they'll be left with only the rights and permissions they need. That way you needn't worry about taking away rights they don't need and shouldn't have.


    /kj
    Wednesday, February 24, 2010 4:22 PM
  • First, do you mean the "Domain Admins" group, or the builtin domain "Administrators" group? In either case, members of these groups must be trusted, because they can do anything. If you remove them from a group, they can add themselves. If you remove their permissions on an object they can seize ownership of the object and grant themselves the permissions. Worse, if they become infected with a virus, the virus has administrator privileges. By default, the Domain Admins group is added to the local Administrators group on all computers joined to the domain, so members of this group have administrator privileges on all computers.

    I work with many schools and your situation is very common. In fact most small organizations have many members of Domain Admins. But most large organizations have very few. I know of companies with hundreds of thousands of users, but less then 10 Domain Admins. They have more than one in case of catastrophe, but the job of these people is to make sure the "real" administrators (at the department and OU level) can do their jobs. They delegate the permissions the real administrators need to do their job, without making them members of any Administrator groups. The members of "Domain Admins" seldom logon with their Administrator accounts, because it is too dangerous.

    The best solution is to delegate the permissions needed to other groups. These links describe delegation of control:

    http://support.microsoft.com/kb/315676

    http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

    You may need to give these users local administrator privileges on the computers, perhaps to setup local printers. Create a domain group for this purpose and make this group a member of the local Administrators group on all computers. You can use Restricted Groups to enforce membership in the local Administrators group. These links describe Restricted Groups.

    http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

    http://support.microsoft.com/kb/279301

    Richard Mueller


    MVP ADSI
    Thursday, February 25, 2010 1:55 AM