Prevent member of administrator group loging in via Remote Desktop

Posted by Chris J on Server Fault See other posts from Server Fault or by Chris J
Published on 2010-03-19T10:04:47Z Indexed on 2010/03/19 10:11 UTC
Read the original article Hit count: 249

In order to support some build processes on our Server 2003 development servers, we require a common user account that has administrative privs.

Unfortuantly, this also means that anyone that knows the password can also gain admin privs on a server. Assume that trying to keep the password secret is a failed exercise. Developers that need admin privs already have admin privs so should be able to log in as themselves.

So the question is a simple one: is there anything I can configure to prevent people (ab)using the account to gain administrator on servers they shouldn't have administrator on? I'm aware that devs could disable anything that is put in place, but that's then down to process and auditing to track and manage.

I don't mind where or how: it can be via the local security policy, group policy, a batch file executed in the user's profile, or something else.

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about user-management