How Do You handle server only rdp (Remote Desktop Users group) permissions (non-administrator group)?

[Max Coder]

Hi,

I work in a biz where we manage around 500+ Windows Servers.

We currently have a multitude of group policies setting various different groups of users (developers, BI, reporting, QA testers) which worked OK when we had 100 servers but now it's getting way too complicated and messy, our GPO list is epic...

I'm after some good ideas from how you guys handle these kind of challenges, and/or perhaps a third party program which could handle this for us in a more manageable way?

ie. if an admin puts someone in Remote Desktop Users, at the moment when Group Policy next applies, its revoked as we setup our GPO's in this way to ensure no sprawl. (A decent auditing solution would do i guess)

Granular permissions.. ie. group A have RDP access to servers 1- 10, group B servers 5-8, group c 1-20

OR  Security Group Per Server ? ACL-Remote-XXXXX 

Cheers all

[Philip Elder]

Are these Remote Desktop Farms with a Broker/Gateway/Web setup?

 

Is this for managing those servers?

 

It’s not clear for me what’s being accomplished here.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/11ed08c5-df5d-4cda-9409-1a4d064e5f0en%40googlegroups.com.

[maxcoder1]

Hi,

My scenario is :   create group "remote access to server A", using gpo make that group member of local group "remote desktop users" on server A, add users in that security group.

 use a single GPO with %computername% instead of each individual name.

is it make sense ?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/6f86a1cdd6e74cb48cd5a9efe44570be%40MPECSInc.Ca.

[Orlebeck, Geoffrey]

(Prefacing the below that I am not providing all the context/detail that should go into this, just offering an option you can research on your own)

Your initial example mentioned having a group granted access to a set of servers, and another group granted access to a different set of servers. If that is the goal, you can setup AD groups for the users and computers and use Group Policy, via Item-level targeting, to define those privileges/relationships. For example, you create "RDP_Users_GroupA" and add users that should have access to "Group A" servers. You also create "RDP_Servers_GroupA" with the AD computer objects the users in RDP_Users_GroupA should be able to RDP into. Once the groups are created, use Item Level Targeting to add "RDP_Users_GroupA" to the local RDP group, but only on computer objects that are members of the RDS_Servers_GroupA. You can control who accesses what by adding/removing user/computer objects from the groups.

A great side-benefit is this lets you setup baselines for your local admin and/or RDS groups and append your item-level targeted privileges on top of the baseline memberships. Again, just an example, but the below has a default baseline at the top (based on order), then there are a handful of additional "Administrators" policies that add additional targeted groups to targeted systems in addition to the default baseline: 

In case you haven't looked into it yet, Item-level targeting offers a variety of options beyond just group membership—IP addresses/subnets, OU location, or even your own WMI queries (proceed with caution on WMI queries! 🙂). You may find an easier or more dynamic way to manage these relationships within the GPOs themselves. Hope this helps or is useful to someone.

-Geoff

---

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of maxcoder1 <maxc...@gmail.com>
Sent: Sunday, June 2, 2024 8:20 AM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] How Do You handle server only rdp (Remote Desktop Users group) permissions (non-administrator group)?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rDW6G6GUfPqEaZ9Skor7vtNntakk2h6_8gnmuz5NLGWAg%40mail.gmail.com.

[Severino Juan Miguel]

Hi Max.

 

That method is how we managed local admin and remote desktop permissions in one of my former employers. Both groups were created during server provisioning (something like localadmin-servername + rdc-servername) and using variables:

A single GPO removed domain admins from the local administrators group and added the "per server" groups to the corresponding local ones, plus a "server admin" group for the infrastructure administrators (if you don't do that and make your admins member of 500 AD groups, you may reach the size limit of the Kerberos token).

 

Best regards

Seve

 

 

Von: ntsys...@googlegroups.com <ntsys...@googlegroups.com> Im Auftrag von maxcoder1
Gesendet: Sonntag, 2. Juni 2024 17:20
An: ntsys...@googlegroups.com
Betreff: Re: [ntsysadmin] How Do You handle server only rdp (Remote Desktop Users group) permissions (non-administrator group)?

 

-!-!-!- EXTERNAL EMAIL -!-!-!- This email originated from outside of SKAN. Do not click links or open attachments unless you recognize the sender and know the content is safe

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rDW6G6GUfPqEaZ9Skor7vtNntakk2h6_8gnmuz5NLGWAg%40mail.gmail.com.

The content of this message is confidential and shall be used solely for the intended purpose and by the intended recipient. If you received this email by mistake, please inform us immediately and delete this message without disclosing its content to any other person. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. The integrity and security of this email cannot be guaranteed over the internet. The sender shall not be held liable for any damage caused by this message.

[maxcoder1]

How were security groups created? Powershell Script? Manual?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DBBP189MB13406B44C3E28C43C537A4D4E9F82%40DBBP189MB1340.EURP189.PROD.OUTLOOK.COM.

[Severino Juan Miguel]

Hi

 

Since it was decided to implement it, it was done automatically via PowerShell. All servers and PCs were being rolled out using SCCM + Orchestrator and one step in that process was creating the AD Computer object in the right OU and AD groups for delegated management.

 

Existing systems were adapted via scripting:

            1. CSV with a list of computer names + PowerShell script to create AD groups.

            2. Assign the GPO to add the new groups

            3. Test that you can access the system withaut domain admin rights using the new "server administrators" group (this can be done with PowerShell)

            4. Fix the possible problems you have found (ie. missing AD groups, other GPO problems)

            5. Modify the GPO to not only add the new groups, but also remove domain admins from the administrator's group.

 

Using that method, it was possible to assign specific people remote desktop or local administrator rights to specific systems. It ensured too that scripts requiring domain admin to interact with the domain weren't able to do anything to the servers/data (without messing with AD groups or GPOs, which were audited).

 

Best regards

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBpf756tn91JUDgXJ0gH_TSjCSQgvwcP7XgxNNymh7ZJw%40mail.gmail.com.