restrict "remote admin" access for administrative account

D

detaxto

My problem is that on one of my computers are few accounts with
administrative privileges and only one that is true administrator.
Anyone user with administrative privileges can log in remotely and
start program under his account. Is it possible to restrict only
certain administrative users from starting remote sessions on my
computer?

For example: program "psexec.exe" can run on remote computer processes
under domain password or under password and username that has
administrative privileges. How can i disable that?

Similar to "shutdown" in windows xp where you can shutdown remote
computers.

This is brick wall i ran in to... it is possible that this is the
biggest windows bug? HELP!!!!...
 
D

Doug Knox MS-MVP

Use the Group Policy Editor to specify a logon script for all users. Copy and paste the following into a Notepad file and save it with a VBS extension. Point the logon script setting in the Group Policy editor to the file you just created. Now, when any user logs on, locally or remotely, the script is run. If they are logged in remotely and if they are not using the built in Administrator account, they get logged off. To specify a different account to allow remote logons, change the "Adminstrator" string in the script.

'Code from http://dev.remotenetworktechnology.com/wsh/lib/tslib.htm
Set Sh = CreateObject("WScript.Shell")
'Get the Username
User = CreateObject("WScript.Network").Username

'Check to see if its a TS or RD Session and if the user is someone other than Administrator
If IsTSSession AND User <> "Administrator" Then
Sh.Run ("%windir%\System32\logoff.exe")
set Sh = Nothing
End If

Function IsTSSession
'Returns True if it is a TS/RD Session, False if not
x = LCase(Sh.ExpandEnvironmentStrings("%Clientname%"))
If (x <> "") And (x <> "console") And (LCase(x) <> "%clientname%") Then
IsTSSession = True
Else
IsTSSession = False
End If
End Function
 
S

Steven L Umbach

First off it is really difficult to restrict anyone with administrator
powers and any administrator can reset the password of the built in
administrator account and then logon as the built in administrator account
if they know they can do it and are inclined to do so. You can however tweak
some user rights that may help. Open Local Security Policy on your computer
and go to local policies/user rights. Remove administrators from access this
computer from the network and replace it with the specific users that you
want to access. Then do the same for the user right for allow logon through
Terminal Services. You could also add the specific user accounts that you
want to restrict to the two corresponding deny user rights. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

i can't get into my administrative account 6
Temporary Administrative Account 5
Running Add/Remove Programs with Administrative Rights 2
Access Administrative Account from Limited Account? 3
Remote Desktop Users and Least User Rights 5
Switch users under Remote Desktop 8
automatic runas with password 2
Limited Accounts and loading programs in XP 3

Top