We are using a domain credential connected to Active Directory, and since password rotation is enabled, it must remain synchronized with AD. This credential is also used across multiple devices.
The requirement is to allow normal users to use this credential to launch sessions on other devices, but without giving them the ability to start a session directly on the AD server. However, some users still need RDP access to the AD.
I considered two possible solutions:
Add only LDAP connection without RDP, but this won’t work since some users need RDP access to the AD.
Create two separate credentials: one domain credential without RDP to the AD (for normal users) and another local/domain credential with RDP enabled (for those who require AD access).
I wanted to check if there might be a better approach to achieve this requirement.
Creating a separate credential for each user is a great solution. Here’s the simple version:
One User, One Credential: Instead of a single shared credential, give each person their own unique login.
Control Access: You can then decide exactly which devices each person can connect to with their specific login.
Secure the AD Server: For the main Active Directory server, you only allow the specific users who need access to log in. Everyone else is blocked from it by default.
This way, everyone can do their job, but your important AD server stays secure and only accessible to those who absolutely need it.
In this case, since the credential needs to be managed and synchronized with the Active Directory, and considering that not all users should have RDP access to the AD server, both approaches you mentioned are valid alternatives. The best option will depend on your specific requirements and how you want to manage access control.
If you’d like to discuss the scenario in more detail and evaluate what fits best for your environment, feel free to open a ticket with our Support Team — we’ll be glad to assist further.