locked
Is it possible to restrict remote access to ONLY 'Remote Users' security group? RRS feed

  • Question

  • Hi Everyone,

     

    Bit of a strange request. Within our work environment, we try to restrict Remote Desktop as much as possible. However people regularly need admin rights in order to do their work, due to certain programs and restrictions not working very well.

     

    What I'm looking is basically:

     

    - Nobody has remote desktop rights, EXCEPT the users in the 'Remote Desktop' group

    - This includes administrators - they should NOT be allowed these rights

     

    Is this possible? My understanding is that permissions are cumulative, so for example Admin is Remote Desktop User and then some. I'd like to somehow seperate these (whether by a GPO or other).

     

    Any advice or suggestions are much appreciated!

    Saturday, July 7, 2012 12:08 PM

All replies

  • AFAIK. By default members of the Administrators Group have the access to the Remote Desktop even if they are not listed. What you can do is remove those users in the Administrators Group and create a separate group for them, give them enough permission like Power User or something equivalent that suits your requirements.
    Tuesday, July 10, 2012 12:32 AM
  • Thanks for the response Bong, and sorry for the delay in getting back to you.

    Unfortunately due to the scale of our machines/enterprise, creating a seperate group wouldn't be entirely feasible. I was hoping it would be possible to remove remote rights from Admin, but I guess that's not possible :-( Thanks for your answer, however!

    Wednesday, August 15, 2012 8:22 AM
  • Couldn't you just create the group on the domain controller and then everyone would be affected buy the changes.
    Wednesday, August 15, 2012 1:45 PM