Answer the question
In order to leave comments, you need to log in
Can I disable terminal access (RDP connectivity) for an account that is a member of the Administrators group on Windows Server 2008 r2?
Is it possible to make sure that the account does not have terminal access, but at the same time, it has administrator rights on the server?
Wednesday: Windows Server 2008 r2
Up: I probably did not describe in detail.
The fact is that this is a system account and applications and services are launched under it on a group of servers. She serves for this. Authorization on any computer of the domain needs to be forbidden. Such is the task. We tried to check the box in the account properties: "Deny this user permissions to log on to any Terminal Server" but that did not help, it continues to let.
Answer the question
In order to leave comments, you need to log in
-Create an arbitrary user group with the required access level.
- view the default administrator groups (for example, "wsus administrator", xs why do you need an administrator without access to rdp)
- deny access to a specific machine
We already wrote above "create an arbitrary user group with the required access level."
Working and even more so running arbitrary software under the "Administrator" account is an extremely bad idea.
You have 2 options: remake your "services and applications" to ensure they run under non-privileged accounts. Or disable RDP altogether (for example, in a firewall)
To be honest, the very formulation of the question suggests that the logical structure of access rights in the organization is somewhat incorrect, since the local administrator is a local god and master. You can cut off the rights, but he can return them in exactly the same way or go around workarounds.
Denying access from the network at the account level is stupid - he can create a new account in the system.
Preventing the Administrators group from logging into Terminal Services is even dumber.
Most of the services can be started with the rights of a simple user.
Some finicky services work well under users, but when launched from a task scheduler with the checkbox set to execute with the highest privileges.
Hygiene rules prohibit the use of local administrators to run anything. You cannot be tied to this account from the word "absolutely".
I probably did not describe in detail.
The fact is that this is a system account and applications and services are launched under it on a group of servers. She serves for this. Authorization on any computer of the domain needs to be forbidden. Such is the task. We tried to check the box in the account properties: "Deny this user permissions to log on to any Terminal Server" but that did not help, it continues to let.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question