I'm dealing with a policy that restricts shared Active Directory (AD) accounts to ensure we can audit access properly. However, there are times when exceptions are needed—especially in labs where multiple users manage instrumentation over extended periods.
Currently, we create these shared AD accounts and restrict their login to specific computers. This setup works well generally. The issue arises when lab managers want to monitor these systems remotely during long sampling analyses. We can give the shared account RDP access, but due to Network Level Authentication (NLA), the account must have login rights on both the local and remote systems for remote access to work. I dislike the idea of allowing this shared account to log into any system besides the instrumentation computers.
Has anyone encountered this problem before, and what solutions did you find?
4 Answers
Have you thought about just adding their AD account to the Remote Desktop Users group on the machines they need to access? It might simplify things a bit.
Exactly! We can't let the shared account log in to the source system, it's too risky.
Have you considered using AD-authenticated VNC or some other remote access software for a good alternative? It might work better without those NLA issues.
Since the machines might already be logged in with the shared account, using RDP would kick that session out. You could look into remote control software, like Ultra VNC. It supports domain groups and offers logging, which might fit your needs.
We have strict policies that limit remote access methods like RDP and SSH. We've had too many issues with third-party tools bypassing our security.
Any chances that RDP shadow could be a solution?
That's an interesting idea! I haven't tried RDP shadow before, so I'm curious about how it works.
That would be tricky due to NLA requirements. NLA checks for login rights on the local machine first, so the shared account needs access to both the local and remote systems, which is a problem.