Block Administrators authentication attemps from workstations

windows authentication active-directory

My Administrator user once in a while is getting locked-out by the workstations in our lab, due to failed logon attempts.
(While this is a problem that should be addressed, because this means there is something wrong with the techies process, it's a small and less important at the moment)

My main problem is that the Administrator can authenticate from anywhere in the network.
I've tried using GPO ("Deny log on through Remote Desktop Services"), ADUC ("Log On To" list).
While he can't actually logon, the authentication is performed first and only then the system checks if there's a GPO or an ADUC block, thus allowing the Administrator user to get locked-out.

Of course this problem can apply to any user.
My Domain\Forest level is 2008r2, and I don't have a firewall between my LAN and my DC.

So, in short, I want to allow authentication attempts of the Administrator only from a certain computers.
Any suggestions?


You cannot do this, unless you start blocking ports, which won't be limited to a specific user. Sorry. Think of it this way - a Windows system doesn't know who a connecting user is, until they authenticate.

Related

Does Azure CDN support stale-while-revalidate caching?
How do I mount the CentOS 7 ISO and add it as a yum repository
Data resiliency in Ceph or Gluster
How to redirect traffic from squid to vpn?
NAT Packet goes out on wrong Gateway
Should both root and wheel users own the files that originally were only owned by root?
What does the closing date mean exactly? [closed]
Using dates, is "between" inclusive of the start and end dates, or is "from" more appropriate? [duplicate]
Word with a similar meaning to "piled together"
Poetic meter/foot clarification [duplicate]
How to syntactically begin a situation in which I use the phrase "sth to this/that effect" in the next sentence
have wanted to do/ have been wanting to do