Hello,

I am trying to set up some server access security in a 2008 R2 environment. I have created a security group and added the users who need access. I was under the impression that I could create a custom firewall rule and add the group and that would only allow them access. Come to find out if a user is not in the security group, but is in the remote desktop users group then they will still be able to login to the machine remotely. Is there a way to lock everything down so that only the security group can access the server? I've read a little about NPS, but I'm not sure if this would allow me to do what I need.

Regards and Thanks in Advance.

• Edited by Green-Tech Tuesday, September 01, 2015 7:51 PM

Hi, I don't think you can delete a built in security group...

Try customizing it, you may find more information here -

https://technet.microsoft.com/en-us/library/Cc771990.aspx

https://technet.microsoft.com/en-us/library/Cc756898(v=WS.10).aspx

• Proposed as answer by Gramelot Tuesday, September 01, 2015 9:09 PM

Hi Green-tech,

NPS provide authentication, authorization and accounting services for network access server (NAS) and use the policies to limit the network access of NASs clients.

According to your description, you want to allow only specific user groups to access (log on) the servers, and it seems that you didnt set up NAS to provide network access to the servers. It may be not suitable to use NPS directly.

To achieve your goal, maybe we can use user rights assignment to manage local log on and remote logon. You may use the following steps to open user rights assignment: run gpedit on the server, in the local group policy > computer configuration, expand Windows setting> security setting> local policies> user rights assignment. In the policies, we may find Allow log on locally and access this computer from the network and other policies, we may change the security setting to achieve your goal.  

Best regards,

Anne he