Yes, that did occur to me. We need to do more testing with that method. What about other clients? Are there other options that I might be missing?

Thanks

On 6/19/2014 3:09 PM, Geoffrey Duke wrote:
[log in to unmask]" type="cite">

You could RDP as a domain account, and then user “Run as another user” (shift-right-click on the program icon or shortcut) to launch a tool as a local user.

 

--Geoff

 

From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Ernie Buford
Sent: Tuesday, June 17, 2014 1:03 PM
To: [log in to unmask]
Subject: Re: Notice - Change to workstations in Campus Domain

 

Yes, we make extensive use of RDP -- most importantly, to work remotely with processes that run for long periods of time. I do use RDP occasionally for admin tasks that require use of the local Administrator account. I presume that it's time for a different approach...

Ernie

On 6/17/2014 12:38 PM, Geoffrey Duke wrote:

It would do so only if you are using a local account (e.g., the Administrator account), or a *-tech account. If you are using a domain account, with appropriate permissions, RDP should still work. Do you RDP to workstations?

 

--Geoff

 

From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Ernie Buford
Sent: Tuesday, June 17, 2014 10:39 AM
To: [log in to unmask]
Subject: Re: Notice - Change to workstations in Campus Domain

 

Your description sounds like this change will affect the ability to connect to other workstations via Remote Desktop Connection. True?

On 6/16/2014 4:54 PM, Geoffrey Duke wrote:

As mentioned in the Collaborative IT Discussion on Wednesday last week, we have made a small change to the Security Policy on workstations that are part of the Campus domain. We configured the Deny access to this computer from the network right, adding the ETS-LocalAdmins group and the new well-known group Local Account.

 

[log in to unmask]" border="0" height="235" width="790">

 

This limits the utility of compromised credentials, addressing a common method for moving through an organization and harvesting additional credentials. This configuration change shouldn’t impact the ability to log into a workstation using either a local account or a *-tech account, but you won’t be able to use such an account to connect from one workstation to another.

 

Please let us know if you have any questions or concerns about this change,

 

--Geoff

 

Geoffrey Duke
802.656.1172 |
Sr System Administrator | Enterprise Technology Services | University of Vermont