Logon Using Terminal Services GPO

user account in "Domain Controller Security Policy" -> "User Rights
Assignment" -> "Allow log on through Terminal Services".

> Hi All,
> I've searching high and low for an answer but it doesn't look like
> anyone has asked this question before. The company I work for has 5
> domain controllers (all in separate locations - Aus, UK, India etc).
> The company's main IT Dept (who I work for) admins all these servers,
> though recently we have employed some systems admin contractors to
> look after the AD servers in India.
> The server is in a rack with no monitor attached so the only way for
> these guys to log in is via RDP/Terminal Services. I have added their
> user account in "Domain Controller Security Policy" -> "User Rights
> Assignment" -> "Allow log on through Terminal Services".
> So now they can logon remotely and administer the server (check event
> logs, create users etc). I have also given them the right to shut down
> the server, as from time to time they may need to bounce the server
> for hardware upgrades etc.
> Though I do not want them having RDP access or shutdown other servers
> within the domain. Unfortunately the GPOs that I've edited give these
> users those permissions throughout all domain controllers.
> Is there a way to specify which domain controllers I want these users
> to be able to RDP & shutdown.
>

> You can create a GPO that only apply to this DC.
> Use GPMC if not already.
> Add a security filtering on the GPO, so it apply only to this DC.
> Take care, being admin of DC means admin of the Domain. They may change
> your GPO to get full access anyway

>> Hi All,
>> I've searching high and low for an answer but it doesn't look like
>> anyone has asked this question before. The company I work for has 5
>> domain controllers (all in separate locations - Aus, UK, India etc).
>> The company's main IT Dept (who I work for) admins all these servers,
>> though recently we have employed some systems admin contractors to
>> look after the AD servers in India.
>> The server is in a rack with no monitor attached so the only way for
>> these guys to log in is via RDP/Terminal Services. I have added their
>> user account in "Domain Controller Security Policy" -> "User Rights
>> Assignment" -> "Allow log on through Terminal Services".
>> So now they can logon remotely and administer the server (check event
>> logs, create users etc). I have also given them the right to shut down
>> the server, as from time to time they may need to bounce the server
>> for hardware upgrades etc.
>> Though I do not want them having RDP access or shutdown other servers
>> within the domain. Unfortunately the GPOs that I've edited give these
>> users those permissions throughout all domain controllers.
>> Is there a way to specify which domain controllers I want these users
>> to be able to RDP & shutdown.
>

>> You can create a GPO that only apply to this DC.
>> Use GPMC if not already.
>> Add a security filtering on the GPO, so it apply only to this DC.
>> Take care, being admin of DC means admin of the Domain. They may change
>> your GPO to get full access anyway
> Actually being in Administrators does not mean they are admin
> of the domain, they need to be in Domain Admins for that.
> However, it does mean they could easily elevate their account
> to Domain Admins membership.
> To poster:
> Limiting them to RDP login on one DC, as Mathieu has indicated via
> a GPO impacting only the intended DC, will not really gain you much.
> Once on there they only need to open up any of a number of remote
> management tools and set the focus to DC of choice.
> If you do not have trust then do not extend trust.
> There is no middle ground.
> Roger
>>> Hi All,
>>> I've searching high and low for an answer but it doesn't look like
>>> anyone has asked this question before. The company I work for has 5
>>> domain controllers (all in separate locations - Aus, UK, India etc).
>>> The company's main IT Dept (who I work for) admins all these servers,
>>> though recently we have employed some systems admin contractors to
>>> look after the AD servers in India.
>>> The server is in a rack with no monitor attached so the only way for
>>> these guys to log in is via RDP/Terminal Services. I have added their
>>> user account in "Domain Controller Security Policy" -> "User Rights
>>> Assignment" -> "Allow log on through Terminal Services".
>>> So now they can logon remotely and administer the server (check event
>>> logs, create users etc). I have also given them the right to shut down
>>> the server, as from time to time they may need to bounce the server
>>> for hardware upgrades etc.
>>> Though I do not want them having RDP access or shutdown other servers
>>> within the domain. Unfortunately the GPOs that I've edited give these
>>> users those permissions throughout all domain controllers.
>>> Is there a way to specify which domain controllers I want these users
>>> to be able to RDP & shutdown.
>

> How to be administrator of the DC Server without being domain admins ?

> I created a test account, only member of the builtin administrators
> groups.
> I can create AD account, modify domain admins members & co.
> That's domain admins power for me !

>>> You can create a GPO that only apply to this DC.
>>> Use GPMC if not already.
>>> Add a security filtering on the GPO, so it apply only to this DC.
>>> Take care, being admin of DC means admin of the Domain. They may change
>>> your GPO to get full access anyway
>> Actually being in Administrators does not mean they are admin
>> of the domain, they need to be in Domain Admins for that.
>> However, it does mean they could easily elevate their account
>> to Domain Admins membership.
>> To poster:
>> Limiting them to RDP login on one DC, as Mathieu has indicated via
>> a GPO impacting only the intended DC, will not really gain you much.
>> Once on there they only need to open up any of a number of remote
>> management tools and set the focus to DC of choice.
>> If you do not have trust then do not extend trust.
>> There is no middle ground.
>> Roger
>>>> Hi All,
>>>> I've searching high and low for an answer but it doesn't look like
>>>> anyone has asked this question before. The company I work for has 5
>>>> domain controllers (all in separate locations - Aus, UK, India etc).
>>>> The company's main IT Dept (who I work for) admins all these servers,
>>>> though recently we have employed some systems admin contractors to
>>>> look after the AD servers in India.
>>>> The server is in a rack with no monitor attached so the only way for
>>>> these guys to log in is via RDP/Terminal Services. I have added their
>>>> user account in "Domain Controller Security Policy" -> "User Rights
>>>> Assignment" -> "Allow log on through Terminal Services".
>>>> So now they can logon remotely and administer the server (check event
>>>> logs, create users etc). I have also given them the right to shut down
>>>> the server, as from time to time they may need to bounce the server
>>>> for hardware upgrades etc.
>>>> Though I do not want them having RDP access or shutdown other servers
>>>> within the domain. Unfortunately the GPOs that I've edited give these
>>>> users those permissions throughout all domain controllers.
>>>> Is there a way to specify which domain controllers I want these users
>>>> to be able to RDP & shutdown.
>