none
How to Restrict AD users to log on/Remote Access to "Remote Desktop Session Host Server" only from a Particular MAC address.

    Question

  • Hi,

    I am using 3 "Remote Desktop Session Host" and Due to some security reason i have set restriction on

    Users Properties-->Account--> Log on to -->Computer name.

    After using this policy user1 is permitted only log on to RDSH1.

    Now want restrict AD users to log on/Remote Access to "Remote Desktop Session Host Server" only from a Particular MAC address.  

    Ex:

    If in AD one user id is: user1

    "Remote Desktop Session Host Server" name: RDSH1

    Thin Client or any Desktop/Laptop MAC is: 00-0A-15-13-2A

    Then how to set a GPO  or Local Policy on "Remote Desktop Session Host Server that allow user1 log on/Remote access "Remote Desktop Session Host Server" only from host which MAC address is: 00-0A-15-13-2A.




    Saturday, December 3, 2016 7:58 AM

All replies

  • Group Policy isn't the correct vehicle for this and will work.  Setup Network Policy Services (NPS) for RADIUS authentication in Active Directory.  NPS is a service included in Windows Server which allows it to act as a RADIUS server to authenticate remote clients against Active Directory.  Inside your NPS policy, specify what conditions are evaluated during authentication process, such as MAC address.  Reference Setup NPS for RADIUS authentication in Active Directory  and MAC Address Authorization.


    Best Regards, Todd Heron | Active Directory Consultant

    Sunday, December 4, 2016 1:24 PM
  • Hi Mr.Ved,

    Originally, I have the same option with Todd Heron, that adding "Calling station ID" with MAC address on NPS server to authenticate for RDP connection. Just like NAP enforcement with DHCP for printers.

    While during test, it doesn't work with several combinations I tried, and during research, I neither found successful examples to do so, so, I'm afraid it couldn't work, and there might not easy to achieve your goals.

    I set the configurations below and tried each combinations with the three conditions:

    And the NPS log shows it doesn't match the policy:

    @ Todd Heron, if there is mis-configuration, welcome to point it out.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, December 8, 2016 9:28 AM
    Moderator
  • Hi;  I haven't tested the NPS solution myself.  I was merely pointing out that Group Policy wasn't the correct method for solving the problem while at the same time providing an example which could solve the problem after a bit of Internet research.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, December 8, 2016 2:12 PM
  • Hi Todd Heron,

    Thanks for your feeding back and efforts :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, December 9, 2016 2:22 AM
    Moderator