AD Group to login to servers
I'm currently creating a home lab and playing around with active directory and I have a couple of questions.
What is the default group for server access?
I can only seem to login to my servers locally using the admin credentials, how would I set it up so that only a certain group could login to the servers?
1 Answer
In a domain environment only the members of DOMAIN\Administrators have Administrator rights everywhere and that includes login rights to every system in the domain.
So you can add your user-account to that group.
(Not recommended though. The AD admins should be limited to a small number of accounts that are never used for any other work. This minimizes the risk of such a powerful account getting compromised while doing other things.)
Method 2: Make your user-account(s) (or an AD group with all the users that need this) a member of the local Administrators group on each server. This gives them admin and login rights on the server, but NOT on the domain as a whole.
Method 3: Make your user-account(s) (or AD group) a member of the "Remote Desktop Users" group on each server. That will give them login-rights via Remote Desktop, but NO admin rights.
No matter what method you use: It is highly recommended (for security reasons) to NOT use a regular user-account for any Administrator work. Use a separate account and use that account for nothing else.
0
