Restrict Remote Desktop access to specific users to specific servers in a domain environment?
I have a domain controller and I want to allow certain user accounts Remote Desktop access to certain servers in the same domain.
There are many servers that can be accessed via the Remote Desktop Protocol, but I'd like to restrict these users to connecting only to the servers I allow, not all of them.
For example, I have user "Billy" and I want him to be able to RDP to servers "1" and "2" but not to server "3".
Please explain a good approach to this problem.
Restricted remote-desktop connection in domain enviroment for domain-user
Solution
To deny a user or a group logon via RDP, explicitly set the "Deny logon through Remote Desktop Services" privilege.
To do this access a group policy editor (either local to the server or from a OU) and set this privilege:
Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
Find and double click "Deny logon through Remote Desktop Services"
Add the user and / or the group that you would like to dny access.
Click Ok.
Either run gpupdate /force /target:computer or wait for the next policy refresh for this setting to take effect.
Source
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.