Based on my understanding of what you are asking here, I would strongly recommend approaching this from a minimal privilege standpoint. Grant certain rights on an individual system level for local objects to those servers rather than trying to grant broader rights and then restrict the login footprint where that account is valid.
Operate on the principle of least privilege. Give the account nothing more than it needs. If it needs no rights anywhere on the domain other than on those servers, (including the inability to logon) then modify existing GPOs so that it is denied logon rights on all the computer objects in other OUs other than the one that contains this server and do not grant any specific allowed rights on any other servers. Then grant the specific privileges on each system which is targeted for administrative use for this account. -------------------------------------- Wayne S. Anderson "An sufficiently developed bug is indistinguishable from a feature." http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 27, 2007 2:41 PM To: [email protected] Subject: Restrict Windows login to certain IPs/hosts for certain domain accounts? Hello to all, I'm working with a particular client who would like to use a certain domain account with local admin rights for config and other monitoring via BMC, but would like to restrict that account so that it can only log on to other systems from a single IP or a small range of IPs (i.e., the monitoring servers), so that its local admin rights are not used/abused by others. The client has Windows 2000 and 2003 servers, and mostly 2000 and XP workstations. The client is using Cisco Security Agent on the servers, so if that can factor in, that would be fine, too. Essentially, we need an account with local admin that can do anything on those systems for the monitoring but can't mess with AD and can't be used from other locations by other users who might know the password (or attackers who have guessed the password). Is this possible? Would simply restricting local logon/TS logon via user rights be enough? Anyone have ideas that might be helpful? I'm wide open to suggestions; the Windows guys here are pretty good, but even they aren't sure how to approach this. Thanks for any assistance. Sincerely, Chris Mallow
