Restrict Remote Desktop access to specific users to specific servers in a domain environment?
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
4 Answers
Restricted remote-desktop connection in domain enviroment for domain-user
Solution
6To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege.
To do this access a group policy editor (either local to the server or from a OU) and set this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.
I don't know if this is the answer you are looking for but it maybe helpful .
- Go to Advanced Firewall settings - then inbound and search for the RDP
- From scoop , you can specify the ip you want to give access to through RDP, put as many ips as you want
- Go to properties of RDP and choose to block the connection instead of allow
Note: Don't forget that each hosting company have ip range for technical support issues , ask them about it and allow them as well, else you may have trouble getting technical support.
1In AD create three security groups; Server 1, 2 and 3 and add the specific user to their relevant groups.
Run Local Security Policy on each Remote Desktop Server. ie run secpol.msc
Navigate to the Local Policies...User Rights Assignment Edit the policy Allow Log on Through Remote Desktop Services. Add the specific AD group you want to give access to and remove unnecessary entries.
