Are these Remote Desktop Farms with a Broker/Gateway/Web setup?
Is this for managing those servers?
It’s not clear for me what’s being accomplished here.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/11ed08c5-df5d-4cda-9409-1a4d064e5f0en%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6f86a1cdd6e74cb48cd5a9efe44570be%40MPECSInc.Ca.
Hi Max.
That method is how we managed local admin and remote desktop permissions in one of my former employers. Both groups were created during server provisioning (something like localadmin-servername + rdc-servername) and using variables:
A single GPO removed domain admins from the local administrators group and added the "per server" groups to the corresponding local ones, plus a "server admin" group for the infrastructure administrators (if you don't do that and make your admins member of 500 AD groups, you may reach the size limit of the Kerberos token).
Best regards
Seve
Von: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Im Auftrag von maxcoder1
Gesendet: Sonntag, 2. Juni 2024 17:20
An: ntsys...@googlegroups.com
Betreff: Re: [ntsysadmin] How Do You handle server only rdp (Remote Desktop Users group) permissions (non-administrator group)?
-!-!-!- EXTERNAL EMAIL -!-!-!- This email originated from outside of SKAN. Do not click links or open attachments unless you recognize the sender and know the content is safe
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rDW6G6GUfPqEaZ9Skor7vtNntakk2h6_8gnmuz5NLGWAg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DBBP189MB13406B44C3E28C43C537A4D4E9F82%40DBBP189MB1340.EURP189.PROD.OUTLOOK.COM.
Hi
Since it was decided to implement it, it was done automatically via PowerShell. All servers and PCs were being rolled out using SCCM + Orchestrator and one step in that process was creating the AD Computer object in the right OU and AD groups for delegated management.
Existing systems were adapted via scripting:
1. CSV with a list of computer names + PowerShell script to create AD groups.
2. Assign the GPO to add the new groups
3. Test that you can access the system withaut domain admin rights using the new "server administrators" group (this can be done with PowerShell)
4. Fix the possible problems you have found (ie. missing AD groups, other GPO problems)
5. Modify the GPO to not only add the new groups, but also remove domain admins from the administrator's group.
Using that method, it was possible to assign specific people remote desktop or local administrator rights to specific systems. It ensured too that scripts requiring domain admin to interact with the domain weren't able to do anything to the servers/data (without messing with AD groups or GPOs, which were audited).
Best regards
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBpf756tn91JUDgXJ0gH_TSjCSQgvwcP7XgxNNymh7ZJw%40mail.gmail.com.