0

I have almost zero experience with Active Directory, so my questions may sound silly and obvious for more experienced people. Anyhow, I have been assigned with the partial admin right to manage our unit in the AD server of our organization, and I need to have at least some basic understanding of how things work with an AD.

There is a desktop computer that joins the AD sever via a computer account, so that it can access IT resources. Now, to login to this computer we only use a local user account (e.g. .\mylocaluser), as this machine serves as a shared computer among colleagues, so no one is allowed to login with its AD user account.

We have now the need to control this computer via remote desktop, either from other PCs in the office or from home (under VPN). How can I restrict access to a set of user? As far as I understood, in the AD I can control (e.g. via a group) which AD user can login to a specific PC, but since we only use the local user account on the computer we need to control via remote, how can accomplish this? Can I use the ADUC tool to set the computer "visible" to a given set of users? As it is, anyone with the IP address and local user details can access the computer...

pisistrato
  • 101

1 Answers1

0

The user rights to log on via RDP is governed by membership in the local Administrators group and the local Remote Desktop Users group. Whomever you want to be able to log onto this computer via RDP needs to be a member of one of these local groups.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I know this, indeed for other PCs, where we log on with our AD user account, I have created groups of user in the ADUC and added those groups to the RDU group to control who has right to remotely connect to the different machines. For the PC I am asking for however we do not use AD users, only the local. I can control somehow via firewall which IP can access it, but this is not practical. I wanted to know if I can use the ADUC to somehow create a group of non-AD user/non-AD computer accounts (e.g. home PCs), and have only this group to be able to remotely control the PC. – pisistrato Apr 01 '21 at 17:50
  • No, you can't use ADUC. You need to add the local user accounts to the local Remote Desktop Users group to control which local user accounts can log on to the computer via RDP. – joeqwerty Apr 01 '21 at 17:53