restricting admin to specific machines

[Guest]

Hiya everyone.

We have a server running TS, etc. We want to be able to admin the server,
but we want the admin to only be allowed from specific computers on the
domain. Since we have some fellows who VPN in, we want to block any admin
access to these machines from the VPN. HOWEVER, they should be able to log
in as regular users.

I.E. Regular user can TS or access machine over VPN or locally.
Admin can TS AND use admin tools from a local PC on the local domain.
Admin can NOT TS OR use admin tools from a remote PC that is VPN'd.

Can this be done?

 

[Steven L Umbach]

An admin is an admin know matter how they access the computer. You can "try" to
restrict them however if they want they can reconfigure the restrictions on "that"
computer. You can disable any users ability to logon to a TS in their account
properties and also use Remote Access Polices to restrict where a user can go, via
input/output filters, on the local lan when they access the network via VPN. Ipsec
can also be used possibly to restrict access to the TS from only authorized
"computers". For instance the TS could be configured with and ipsec require policy
[exempting domain controllers by IP address] and only those computers that could
access it would have an ipsec client/respond policy. If certificates are used for the
ipsec authentication you could prevent a user that is an administrator on only he
local computer from obtaining the necessary certificate. The default kerberos
authentication would work but a local administrator could possibly configure his
computer to have a compatible ipsec policy then. --- Steve