Blocking Terminal Services Users from Some Objects

Use the special security principal REMOTE INTERACTIVE LOGON to limit remote users' privileges.

ITPro Today

June 27, 2005

1 Min Read
ITPro Today logo

Is there a way to prevent users logged on through Terminal Services from accessing certain files or other objects?

Yes; you can use the special security principal Remote Interactive Logon, which is available in ACLs and user rights assignments. Then, when a user logs on to a computer through Remote Desktop, Remote Assistance, or Terminal Services, Windows places the Remote Interactive Logon SID in the user's access token, which causes any permissions or rights assigned to Remote Interactive Logon to apply to the user for the current logon session.

To block your Terminal Services users from accessing a folder, for example, simply add to the folder an access control entry (ACE) that denies Full Control to Remote Interactive Logon. Then, anyone who logs on through Terminal Services and tries to access the folder will be denied access.

—Randy Franklin Smith

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like