Blocking other engineers from logging on to my server terminally to make changes
i am looking after three servers and im trying to get a solution on how to stop other engineers from logging onto my server. right now everyone is an administrator in my servers and people log in and make changes on my server. please help me out
June 29th, 2011 4:10am

remove these users from remote desktop admin, also make sure that these users are not members of local administrators or remote desktop groups so that they dont inherite remote desktop permissionThanks Uday Kiran, Senior Consultant Cyquent Technology Consultants, Dubai Please Mark as answer if it helps you
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2011 4:25am

Seems more of behavior issue then technical issue. If they are admins they have admin rights which means remote logon, changes etc. You can change the local policy to deny logon from the network but then again if you don't trust them they should just be removed from admins.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
June 29th, 2011 10:43am

Hi, To restrict user log into a server on locally, you can use Local Security policy: 1. Open Local Security Policy, expand to Local Policies->User Rights Assignment. Locate "Allow log on locally". 2. Under the list, remove all users or groups except "Backup Operations". then add your user account. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 5:03am

thank you guys for the response. I am actually trying to stop them from logging on remotely into the servers,They are administrators on my servers. for example im having guys logging on to my AD and adding users and assining rights to those users and i cannot even explain it. I just want to stop them from even remotely logging in. My concern is there is a group on my servers called domain admins and all these administrators are part of that group, this group is in every server of mine and im not sure what it will do if i remove these administrators from that group and i unfortunately don't have a test environment. Please guys i desperately need help .Please
July 1st, 2011 2:56am

If you remove them from the domain admins group, they won't be able to make changes to AD anymore. They could also lose admin rights to member servers in the domain. If it's not practical to remove them from that group, you should be able to at least enable and audit logging on your domain controllers so that you have an audit trail of who changed what.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2011 7:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics