Allow administrator log onto TS only from some computers

Home Forums Virtualization Terminal Services Allow administrator log onto TS only from some computers

This topic contains 8 replies, has 4 voices, and was last updated by Avatar entadm 12 years, 9 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    nguyennp
    Member
    #126168

    Hi,

    Can we allow only some computers make the remote desktop connection to Terminal Server via administrator account ? (based on MAC address or computer name, ….). That means with administrator account, we can only log onto Terminal Server from our admin computers.

    Thanks.

    Avatar
    ahinson
    Member
    #216341

    Re: Allow administrator log onto TS only from some computers

    nguyennp;72256 wrote:
    Hi,

    Can we allow only some computers make the remote desktop connection to Terminal Server via administrator account ? (based on MAC address or computer name, ….). That means with administrator account, we can only log onto Terminal Server from our admin computers.

    Thanks.

    I don’t believe that you can do this… Connections are not restricted based on MAC or Computername using the built-in TS tools. There might be 3rd party tools that allow that or a way to script it.

    Avatar
    entadm
    Member
    #292039

    Re: Allow administrator log onto TS only from some computers

    VLAN setup may help u

    Avatar
    ahinson
    Member
    #216354

    Re: Allow administrator log onto TS only from some computers

    entadm;72876 wrote:
    VLAN setup may help u

    This may work. Choose not to route traffic on 3389 to the VLAN where the servers exist except for some condition.

    Avatar
    sorinso
    Member
    #265166

    Re: Allow administrator log onto TS only from some computers

    If you want to allow connection through RDP to a server only from specific computers, why not use the internal firewall? Or create a GPO for it, if you’re in an AD environment…

    Avatar
    nguyennp
    Member
    #249594

    Re: Allow administrator log onto TS only from some computers

    @entadm & ahinson: If use VLAN, I have to change a lot. I think that’s the last choice for me.

    @sorinso: yeah, Internal firewall is a good idea. Yet, there’re no budget for that. So I want to find a simple solution or workaround. I’m thinking of your idea about GPO. Can you show me the TS policies which solve the issue ? I don’t see any TS policy in GPO similiar to my requirement.

    Thanks so much for all replies.

    Avatar
    ahinson
    Member
    #216355

    Re: Allow administrator log onto TS only from some computers

    sorinso;72907 wrote:
    If you want to allow connection through RDP to a server only from specific computers, why not use the internal firewall? Or create a GPO for it, if you’re in an AD environment…

    Doh! Ya firewall = good idea

    GPO to do what exactly? Control firewall? Enlighten me if you mean something else ;)

    Avatar
    sorinso
    Member
    #265169

    Re: Allow administrator log onto TS only from some computers

    There’s no need for budget, my friend. I was referring to the internal firewall of the TS server, not an external appliance.
    You will need to create a new GPO, that contains the appropriate settings, link it to the OU that the TS servers are placed in, apply them to the TS servers only and disable the User Settings (since firewall settings are computer-related).
    You can find all the firewall-relevant settings in Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile.
    Although you didn’t mention it clearly, I assume you are working in an Active Director environment.

    Andrew is right, of course. If you want to make the RDP restriction for the Administrator account only, the firewall not only will not solve your problem, but will make things worse (you will not be able to connect to the TS servers at all, but from the computers that appear in the GPO even with plain users). My mistake, apologies.

    Avatar
    nguyennp
    Member
    #249595

    Re: Allow administrator log onto TS only from some computers

    nguyennp;72256 wrote:
    Hi,

    Can we allow only some computers make the remote desktop connection to Terminal Server via administrator account ? (based on MAC address or computer name, ….). That means with administrator account, we can only log onto Terminal Server from our admin computers.

    Thanks.

    Hi all,

    Sorry but correct me if I’m wrong. I accidentally remember that Internal Firewall or even VLAN can’t solve the issue. I don’t want to denied admin users make the remote connection, what I want is : they (admins) only can log on using admin account from their computer. With Internal Firewall, VLAN, GPO, I can allow some computers connect to TS but can’t control if they’re using admin account to log on or not.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.