Hi all,
I have been asked by a client to restrict the ability to log onto domain controllers to a select number of accounts.
Currently as the site stands the domain controller policy "allow log on through terminal services" is not defined, however "allow local log on" is with a select number of security groups.
First thoughts were to create a new security group and allow that to log on only.
But further reading indicates that because that part of the policy is not defined that it defaults back to the "remote desktop users" group.
What is the best practice to lock down DC log ons?
Treading carefully as not to lock myself out.
Cheers!
I have been asked by a client to restrict the ability to log onto domain controllers to a select number of accounts.
Currently as the site stands the domain controller policy "allow log on through terminal services" is not defined, however "allow local log on" is with a select number of security groups.
First thoughts were to create a new security group and allow that to log on only.
But further reading indicates that because that part of the policy is not defined that it defaults back to the "remote desktop users" group.
What is the best practice to lock down DC log ons?
Treading carefully as not to lock myself out.
Cheers!
