Restrict Logon to specific system

Recently, one of our vendors needed the ability to Remote Desktop, RDP, to a specific system in our environment. The vendor connects via Citrix and we only want them to be able to RDP to the one system.

Admittedly, there are as always multiple ways to accomplish this, and in this case I decided using the Active Directory account property of Log On To... in order to limit access.

To use this property, locate the user account in AD, right click and select properties. On the Account tab you will see the Log On To... button. Selecting the button will display the Logon Workstations window.

Deny-logon-ADUC-Account-tab-Log-On-ToSelect the radio button for "The following computers" and add the required systems.

Now, remember, Citrix is in the mix here. In addition to the systems on which you want the user to logon, you also need to add;

  •  Logon to the server on which the Citrix RDP application is configured to run.
  • The Citrix servers configured to run the XML service as it operates in the users context.

Finally, if your citrix is configured for multiple farms you need to list the XML servers for each farm.

Once you complete the above, have the user test and you should be happy with the results.

Leave a Reply