Server Logon Restrictions

[fort78]

Hey there,

I was wondering what the best way would be to stop users being able to log onto servers (either locally or remotely) - Obviously Domain Admin accounts etc can automatically do this, but I'd like to be able to control who can and who cannot log into the server...would this be a group membership based solution or something similar?

Help much appreciated,
R Green

 

[ICTCity]

Hi,

Everything depends on HOW people will connect to your server.

RDP is permitted only to the Admin, if you enable RDP TS, users in REMOTE DESKTOP USERS will be able to logon via RDP.
The share (let's say \\IP_Srv\folder) is managed by SHARING PERMISSIONS and SECURITY (properties of folders).

There's a group policy here: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Which can help you to DENY users to login locally, remotely and so on.

Let me know.

 

[fort78]

Hi, Thanks for the quick response!

The requirments are basically that no one but Administrators (who of course are allowed to by default), and two other groups are allowed to log on to the server in any capacity, be it physically walking up to it, or through remote. So, if i was to edit the local security policy to allow those - this would work?

Many Thanks
R Green

 

[ICTCity]

Yes,

But for RDP I suggest you to use the "old style" right click on computer > remote settings and add the group you need. THAN modify policies.

 

[fort78]

Ok, I shall give the user rights assignment a go for part of it, and the remote for the other - thanks so much for your help