附錄 D:保護 Active Directory 中的內建的 Administrator 帳戶Appendix D: Securing Built-In Administrator Accounts in Active Directory

適用於:Windows Server 2016 中,Windows Server 2012 R2 中,Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

附錄 D:保護 Active Directory 中的內建的 Administrator 帳戶Appendix D: Securing Built-In Administrator Accounts in Active Directory

在 Active Directory 中的每個網域,系統管理員帳戶會建立為網域的一部分。In each domain in Active Directory, an Administrator account is created as part of the creation of the domain. 此帳戶在網域中,網域系統管理員和系統管理員群組的成員是依預設,如果網域樹系根網域,帳戶也是 Enterprise Admins 群組的成員。This account is by default a member of the Domain Admins and Administrators groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group.

使用網域系統管理員帳戶應保留只適用於初始建置活動,而且可能是嚴重損壞修復案例。Use of a domain's Administrator account should be reserved only for initial build activities, and possibly, disaster-recovery scenarios. 若要確保系統管理員帳戶,可用來影響修復,可以使用任何其他帳戶,您不應該變更預設的成員資格的樹系中任何網域中的系統管理員帳戶。To ensure that an Administrator account can be used to effect repairs in the event that no other accounts can be used, you should not change the default membership of the Administrator account in any domain in the forest. 相反地,您應該保護樹系中每個網域中的系統管理員帳戶下, 一節中所述,並逐步指示,請依照下列所述。Instead, you should secure the Administrator account in each domain in the forest as described in the following section and detailed in the step-by-step instructions that follow.

注意

建議停用帳戶使用本指南。This guide used to recommend disabling the account. 這已移除樹系復原技術白皮書會使用預設系統管理員帳戶。This was removed as the forest recovery white paper makes use of the default administrator account. 原因是,這是唯一的帳戶,可讓不使用通用類別目錄伺服器的登入。The reason is, this is the only account that allows logon without a Global Catalog Server.

控制項的內建的 Administrator 帳戶Controls for Built-in Administrator Accounts

在您的樹系中每個網域中的內建的系統管理員帳戶,您應該設定下列設定:For the built-in Administrator account in each domain in your forest, you should configure the following settings:

  • 啟用是機密帳戶,無法委派帳戶上的旗標。Enable the Account is sensitive and cannot be delegated flag on the account.

  • 啟用智慧卡是互動式登入必須帳戶上的旗標。Enable the Smart card is required for interactive logon flag on the account.

  • 設定 Gpo 來限制在已加入網域的系統上的系統管理員帳戶的使用:Configure GPOs to restrict the Administrator account's use on domain-joined systems:

    • 在您建立並連結至工作站和成員伺服器 Ou,每個網域中的一或多個 Gpo,加入每個網域系統管理員帳戶中的下列使用者權限電腦設定 \ 原則 \windows 設定 \ 安全性設定 \ 本機原則 \ 使用者權限指派:In one or more GPOs that you create and link to workstation and member server OUs in each domain, add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments:

      • 拒絕從網路存取這台電腦Deny access to this computer from the network

      • 拒絕以批次工作登入Deny log on as a batch job

      • 拒絕以服務方式登入Deny log on as a service

      • 拒絕透過遠端桌面服務登入Deny log on through Remote Desktop Services

注意

當您將帳戶加入此設定時,您必須指定您要設定本機系統管理員帳戶或網域系統管理員帳戶。When you add accounts to this setting, you must specify whether you are configuring local Administrator accounts or domain Administrator accounts. 例如,將拒絕 NWTRADERS 網域的系統管理員帳戶,這些權限,您必須輸入帳戶 NWTRADERS\Administrator 或瀏覽 NWTRADERS 網域系統管理員帳戶。For example, to add the NWTRADERS domain's Administrator account to these deny rights, you must type the account as NWTRADERS\Administrator, or browse to the Administrator account for the NWTRADERS domain. 如果您在這些使用者的權限設定中 群組原則物件編輯器 」 中輸入 「 系統管理員 」,您將會限制這個 GPO 會套用每一部電腦上的本機系統管理員帳戶。If you type "Administrator" in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied.

我們建議在網域系統管理員帳戶相同的方式來限制在成員伺服器和工作站上的本機系統管理員帳戶。We recommend restricting local Administrator accounts on member servers and workstations in the same manner as domain-based Administrator accounts. 因此,您應該通常新增樹系中的每個網域的系統管理員帳戶和本機電腦的系統管理員帳戶對這些使用者的權限設定。Therefore, you should generally add the Administrator account for each domain in the forest and the Administrator account for the local computers to these user rights settings. 下列螢幕擷取畫面顯示範例設定這些來封鎖本機系統管理員帳戶和執行應該不需要為這些帳戶的登入的網域系統管理員帳戶的使用者權限。The following screenshot shows an example of configuring these user rights to block local Administrator accounts and a domain's Administrator account from performing logons that should not be needed for these accounts.

保護的內建的系統管理員帳戶

  • 設定 Gpo 來限制在網域控制站上的系統管理員帳戶Configure GPOs to restrict Administrator accounts on domain controllers

    • 在樹系中每個網域,預設網域控制站 GPO 或原則連結應修改 OU,以將每個網域系統管理員帳戶新增至下列中的使用者權限的網域控制站電腦設定 \ 原則 \windows\ 安全性設定 \ 本機原則 \ 使用者權限指派:In each domain in the forest, the Default Domain Controllers GPO or a policy linked to the domain controllers OU should be modified to add each domain's Administrator account to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments:

      • 拒絕從網路存取這台電腦Deny access to this computer from the network

      • 拒絕以批次工作登入Deny log on as a batch job

      • 拒絕以服務方式登入Deny log on as a service

      • 拒絕透過遠端桌面服務登入Deny log on through Remote Desktop Services

注意

這些設定可確保連線到網域控制站,無法使用,網域的內建的系統管理員帳戶,雖然帳戶,如果啟用,可以登入本機網域控制站。These settings will ensure that the domain's built-in Administrator account cannot be used to connect to a domain controller, although the account, if enabled, can log on locally to domain controllers. 此帳戶應該僅啟用並用於災害復原案例,因為它預期會提供至少一個網域控制站的實體存取,或其他遠端存取網域控制站的權限的帳戶可以是使用此項目。Because this account should only be enabled and used in disaster-recovery scenarios, it is anticipated that physical access to at least one domain controller will be available, or that other accounts with permissions to access domain controllers remotely can be used.

  • 設定稽核的系統管理員帳戶Configure Auditing of Administrator Accounts

    當您有保護每個網域系統管理員帳戶,並將它停用時,您應該設定稽核來監視變更的帳戶。When you have secured each domain's Administrator account and disabled it, you should configure auditing to monitor for changes to the account. 如果已啟用的帳戶、 重設其密碼時,或任何其他修改的帳戶,應該會收到通知的使用者或小組負責管理 Active Directory 中,除了您組織中的事件回應小組。If the account is enabled, its password is reset, or any other modifications are made to the account, alerts should be sent to the users or teams responsible for administration of Active Directory, in addition to incident response teams in your organization.

保護 Active Directory 中的內建的 Administrator 帳戶的逐步指示Step-by-Step Instructions to Secure Built-in Administrator Accounts in Active Directory

  1. 伺服器管理員,按一下工具,然後按一下Active Directory 使用者和電腦In Server Manager, click Tools, and click Active Directory Users and Computers.

  2. 若要避免運用委派給其他系統上使用的帳戶認證的攻擊,請執行下列步驟:To prevent attacks that leverage delegation to use the account's credentials on other systems, perform the following steps:

    1. 以滑鼠右鍵按一下系統管理員帳戶,然後按一下屬性Right-click the Administrator account and click Properties.

    2. 按一下 [帳戶] 索引標籤。Click the Account tab.

    3. 底下帳戶選項,選取是機密帳戶,無法委派旗標,如下列螢幕擷取畫面所示,然後按一下確定Under Account options, select Account is sensitive and cannot be delegated flag as indicated in the following screenshot, and click OK.

      保護的內建的系統管理員帳戶

  3. 若要啟用智慧卡是互動式登入必須帳戶旗標,請執行下列步驟:To enable the Smart card is required for interactive logon flag on the account, perform the following steps:

    1. 以滑鼠右鍵按一下系統管理員帳戶,然後選取屬性Right-click the Administrator account and select Properties.

    2. 按一下 [帳戶] 索引標籤。Click the Account tab.

    3. 底下帳戶選項中,選取智慧卡是互動式登入必須旗標,如下列螢幕擷取畫面所示,然後按一下確定Under Account options, select the Smart card is required for interactive logon flag as indicated in the following screenshot, and click OK.

      保護的內建的系統管理員帳戶

設定 Gpo,來限制在網域層級的系統管理員帳戶Configuring GPOs to Restrict Administrator Accounts at the Domain-Level

警告

永遠不會應將此 GPO 連結在網域層級,因為它可以讓內建的 Administrator 帳戶無法使用,即使在災害復原案例。This GPO should never be linked at the domain-level because it can make the built-in Administrator account unusable, even in disaster recovery scenarios.

  1. 伺服器管理員,按一下工具,然後按一下群組原則管理In Server Manager, click Tools, and click Group Policy Management.

  2. 在主控台樹狀目錄中,依序展開\Domains\,然後群組原則物件(其中樹系的名稱和是您想要的網域名稱建立群組原則)。In the console tree, expand \Domains\, and then Group Policy Objects (where is the name of the forest and is the name of the domain where you want to create the Group Policy).

  3. 在主控台樹狀目錄中,以滑鼠右鍵按一下群組原則物件,然後按一下新增In the console tree, right-click Group Policy Objects, and click New.

    保護的內建的系統管理員帳戶

  4. 新的 GPO 對話方塊中,輸入,然後按一下確定 (其中此 GPO 的名稱) 如下列螢幕擷取畫面所示。In the New GPO dialog box, type , and click OK (where is the name of this GPO) as indicated in the following screenshot.

    保護的內建的系統管理員帳戶

  5. 在 [詳細資料] 窗格中,以滑鼠右鍵按一下,然後按一下編輯In the details pane, right-click , and click Edit.

  6. 瀏覽至電腦設定 \ 原則 \windows 設定 \ 本機原則,然後按一下使用者權限指派Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and click User Rights Assignment.

    保護的內建的系統管理員帳戶

  7. 設定使用者權限,以防止系統管理員帳戶透過網路存取成員伺服器和工作站,執行下列動作:Configure the user rights to prevent the Administrator account from accessing members servers and workstations over the network by doing the following:

    1. 按兩下拒絕從網路存取這台電腦,然後選取定義這些原則設定Double-click Deny access to this computer from the network and select Define these policy settings.

    2. 按一下 新增使用者或群組然後按一下瀏覽Click Add User or Group and click Browse.

    3. 型別系統管理員,按一下檢查名稱,然後按一下確定Type Administrator, click Check Names, and click OK. 確認顯示的帳戶時,會在\Username 格式如下列螢幕擷取畫面所示。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護的內建的系統管理員帳戶

    4. 按一下 確定,並確定一次。Click OK, and OK again.

  8. 設定使用者權限,以防止系統管理員帳戶登入以批次工作執行下列動作:Configure the user rights to prevent the Administrator account from logging on as a batch job by doing the following:

    1. 按兩下拒絕以批次工作登入,然後選取定義這些原則設定Double-click Deny log on as a batch job and select Define these policy settings.

    2. 按一下 新增使用者或群組然後按一下瀏覽Click Add User or Group and click Browse.

    3. 型別系統管理員,按一下檢查名稱,然後按一下確定Type Administrator, click Check Names, and click OK. 確認顯示的帳戶時,會在\Username 格式如下列螢幕擷取畫面所示。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護的內建的系統管理員帳戶

    4. 按一下 確定,並確定一次。Click OK, and OK again.

  9. 設定使用者權限,以防止系統管理員帳戶登入為服務執行下列動作:Configure the user rights to prevent the Administrator account from logging on as a service by doing the following:

    1. 按兩下拒絕以服務登入,然後選取定義這些原則設定Double-click Deny log on as a service and select Define these policy settings.

    2. 按一下 新增使用者或群組然後按一下瀏覽Click Add User or Group and click Browse.

    3. 型別系統管理員,按一下檢查名稱,然後按一下確定Type Administrator, click Check Names, and click OK. 確認顯示的帳戶時,會在\Username 格式如下列螢幕擷取畫面所示。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護的內建的系統管理員帳戶

    4. 按一下 確定,並確定一次。Click OK, and OK again.

  10. 設定使用者權限,以防止 BA 帳戶透過下列方式存取成員伺服器和工作站,透過遠端桌面服務:Configure the user rights to prevent the BA account from accessing member servers and workstations via Remote Desktop Services by doing the following:

    1. 按兩下拒絕透過遠端桌面服務登入,然後選取定義這些原則設定Double-click Deny log on through Remote Desktop Services and select Define these policy settings.

    2. 按一下 新增使用者或群組然後按一下瀏覽Click Add User or Group and click Browse.

    3. 型別系統管理員,按一下檢查名稱,然後按一下確定Type Administrator, click Check Names, and click OK. 確認顯示的帳戶時,會在\Username 格式如下列螢幕擷取畫面所示。Verify that the account is displayed in \Username format as indicated in the following screenshot.

      保護的內建的系統管理員帳戶

    4. 按一下 確定,並確定一次。Click OK, and OK again.

  11. 若要結束群組原則管理編輯器,按一下檔案,然後按一下結束To exit Group Policy Management Editor, click File, and click Exit.

  12. 群組原則管理,將 GPO 連結到成員伺服器和工作站的 Ou,執行下列動作:In Group Policy Management, link the GPO to the member server and workstation OUs by doing the following:

    1. 瀏覽至\Domains\ (其中樹系的名稱和是您要將群組原則設定的網域名稱)。Navigate to the \Domains\ (where is the name of the forest and is the name of the domain where you want to set the Group Policy).

    2. 以滑鼠右鍵按一下 OU GPO 會套用至,然後按一下連結到現有的 GPORight-click the OU that the GPO will be applied to and click Link an existing GPO.

      保護的內建的系統管理員帳戶

    3. 選取您所建立的 GPO,然後按一下確定Select the GPO that you created and click OK.

      保護的內建的系統管理員帳戶

    4. 建立連結至包含工作站的所有其他 Ou。Create links to all other OUs that contain workstations.

    5. 建立連結至包含成員伺服器的所有其他 Ou。Create links to all other OUs that contain member servers.

重要

當您新增的系統管理員帳戶,這些設定時,您可以指定設定的本機系統管理員帳戶或網域系統管理員帳戶由您設定帳戶的標籤。When you add the Administrator account to these settings, you specify whether you are configuring a local Administrator account or a domain Administrator account by how you label the accounts. 例如,若要新增這些 TAILSPINTOYS 網域的系統管理員帳戶拒絕權限,您必須瀏覽至網域系統管理員帳戶 TAILSPINTOYS,這會顯示為 TAILSPINTOYS\Administrator。For example, to add the TAILSPINTOYS domain's Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. 如果您在這些使用者的權限設定中 群組原則物件編輯器 」 中輸入 「 系統管理員 」,您將會限制要套用 GPO,每一部電腦上的本機系統管理員帳戶,如先前所述。If you type "Administrator" in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier.

驗證步驟Verification Steps

此處所述的驗證步驟專屬於 Windows 8 和 Windows Server 2012。The verification steps outlined here are specific to Windows 8 and Windows Server 2012.

確認 「 智慧卡 」 需要互動式登入帳戶選項Verify "Smart card is required for interactive logon" Account Option
  1. 從任何成員伺服器或工作站 GPO 變更的影響,嘗試使用登入以互動方式加入網域的網域內建的 Administrator 帳戶。From any member server or workstation affected by the GPO changes, attempt to log on interactively to the domain by using the domain's built-in Administrator account. 在嘗試登入之後, 應該會出現如下所示的對話方塊。After attempting to log on, a dialog box similar to the following should appear.

保護的內建的系統管理員帳戶

確認 「 帳戶已停用 「 帳戶選項Verify "Account is disabled" Account Option
  1. 從任何成員伺服器或工作站 GPO 變更的影響,嘗試使用登入以互動方式加入網域的網域內建的 Administrator 帳戶。From any member server or workstation affected by the GPO changes, attempt to log on interactively to the domain by using the domain's built-in Administrator account. 在嘗試登入之後, 應該會出現如下所示的對話方塊。After attempting to log on, a dialog box similar to the following should appear.

保護的內建的系統管理員帳戶

確認 「 拒絕從網路存取這台電腦 」 GPO 設定Verify "Deny access to this computer from the network" GPO Settings

從任何成員伺服器或工作站 GPO 變更 (例如跳躍伺服器) 不會受到影響,嘗試存取的成員伺服器或工作站 GPO 變更的影響網路上。From any member server or workstation that is not affected by the GPO changes (such as a jump server), attempt to access a member server or workstation over the network that is affected by the GPO changes. 若要確認 GPO 設定,請嘗試使用對應的系統磁碟機NET USE命令藉由執行下列步驟:To verify the GPO settings, attempt to map the system drive by using the NET USE command by performing the following steps:

  1. 登入使用的網域內建的 Administrator 帳戶的網域。Log on to the domain using the domain's built-in Administrator account.

  2. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入命令提示字元,以滑鼠右鍵按一下命令提示字元,然後按一下系統管理員身分執行開啟已提升權限命令提示字元。In the Search box, type command prompt, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt.

  4. 當系統提示您核准提升權限,按一下When prompted to approve the elevation, click Yes.

    保護的內建的系統管理員帳戶

  5. 命令提示字元視窗中,輸入net 使用\ \<伺服器名稱>\c$,其中<伺服器名稱>是成員伺服器或您嘗試透過網路存取的工作站的名稱。In the Command Prompt window, type net use \\<Server Name>\c$, where <Server Name> is the name of the member server or workstation you are attempting to access over the network.

  6. 下列螢幕擷取畫面會顯示應該會出現錯誤訊息。The following screenshot shows the error message that should appear.

    保護的內建的系統管理員帳戶

確認 「 拒絕登入以批次工作 」 GPO 設定Verify "Deny log on as a batch job" GPO Settings

從任何成員伺服器或工作站 GPO 變更的影響,在本機登入。From any member server or workstation affected by the GPO changes, log on locally.

建立批次檔Create a Batch File
  1. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入記事本,然後按一下記事本In the Search box, type notepad, and click Notepad.

  3. 記事本,型別dir c:In Notepad, type dir c:.

  4. 按一下 檔案然後按一下另存新檔Click File and click Save As.

  5. 檔名欄位中,輸入 .bat (其中是新的批次檔的名稱)。In the Filename field, type .bat (where is the name of the new batch file).

排程的工作Schedule a Task
  1. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入工作排程器,然後按一下工作排程器In the Search box, type task scheduler, and click Task Scheduler.

    注意

    在 [搜尋] 方塊中,執行 Windows 8 的電腦上輸入排程工作,然後按一下排程工作On computers running Windows 8, in the Search box, type schedule tasks, and click Schedule tasks.

  3. 在上工作排程器,按一下動作,然後按一下建立工作On Task Scheduler, click Action, and click Create Task.

  4. 在 [建立工作] 對話方塊中,輸入 (其中 是新工作的名稱)。In the Create Task dialog box, type (where is the name of the new task).

  5. 按一下 動作索引標籤,然後按一下新增Click the Actions tab, and click New.

  6. 底下動作:,選取啟動程式Under Action:, select Start a program.

  7. 底下程式或指令碼:,按一下瀏覽找出並選取 「 建立批次檔 」 一節中建立的批次檔,按一下 開啟Under Program/script:, click Browse, locate and select the batch file created in the "Create a Batch File" section, and click Open.

  8. 按一下 [確定] 。Click OK.

  9. 按一下 [一般] 索引標籤。Click the General tab.

  10. 底下安全性選項,按一下變更使用者或群組Under Security options, click Change User or Group.

  11. 輸入 BA 帳戶的名稱在網域層級,按一下 檢查名稱,然後按一下確定Type the name of the BA account at the domain-level, click Check Names, and click OK.

  12. 選取 不論使用者登入與否均執行不要儲存密碼Select Run whether the user is logged on or not and Do not store password. 工作將只包含本機電腦資源的存取權。The task will only have access to local computer resources.

  13. 按一下 [確定] 。Click OK.

  14. 應該會出現一個對話方塊,要求的使用者帳戶的認證來執行工作。A dialog box should appear, requesting user account credentials to run the task.

  15. 輸入認證之後,按一下確定After entering the credentials, click OK.

  16. 應該會出現如下所示的對話方塊。A dialog box similar to the following should appear.

    保護的內建的系統管理員帳戶

確認 「 拒絕登入為服務 」 GPO 設定Verify "Deny log on as a service" GPO Settings
  1. 從任何成員伺服器或工作站 GPO 變更的影響,在本機登入。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,然後按一下服務In the Search box, type services, and click Services.

  4. 找出並按兩下列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 单击 “登录” 选项卡。Click the Log On tab.

  6. 底下身分登入:,選取此帳戶Under Log on as:, select This account.

  7. 按一下 瀏覽,輸入在網域層級的 BA 帳戶的名稱,按一下檢查名稱,然後按一下確定Click Browse, type the name of the BA account at the domain-level, click Check Names, and click OK.

  8. 底下密碼:確認密碼:,輸入系統管理員帳戶的密碼,然後按一下確定Under Password: and Confirm password:, type the Administrator account's password, and click OK.

  9. 按一下 確定三次。Click OK three more times.

  10. 以滑鼠右鍵按一下列印多工緩衝處理器服務,然後選取重新啟動Right-click the Print Spooler service and select Restart.

  11. 重新啟動服務時,應該會出現如下所示的對話方塊。When the service is restarted, a dialog box similar to the following should appear.

    保護的內建的系統管理員帳戶

還原的列印多工緩衝處理器服務的變更Revert Changes to the Printer Spooler Service
  1. 從任何成員伺服器或工作站 GPO 變更的影響,在本機登入。From any member server or workstation affected by the GPO changes, log on locally.

  2. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  3. 搜尋方塊中,輸入服務,然後按一下服務In the Search box, type services, and click Services.

  4. 找出並按兩下列印多工緩衝處理器Locate and double-click Print Spooler.

  5. 单击 “登录” 选项卡。Click the Log On tab.

  6. 底下身分登入:,選取本機系統帳戶,再按一下確定Under Log on as:, select the Local System account, and click OK.

確認 「 拒絕透過登入遠端桌面服務 」 GPO 設定Verify "Deny log on through Remote Desktop Services" GPO Settings
  1. 使用滑鼠,請將指標移到螢幕的右上或右下角。With the mouse, move the pointer into the upper-right or lower-right corner of the screen. 常用鍵列出現時,按一下搜尋When the Charms bar appears, click Search.

  2. 搜尋方塊中,輸入遠端桌面連線,然後按一下遠端桌面連線In the Search box, type remote desktop connection, and click Remote Desktop Connection.

  3. 電腦欄位中,輸入您想要連接到,然後按一下 電腦名稱ConnectIn the Computer field, type the name of the computer that you want to connect to, and click Connect. (您也可以輸入的 IP 位址,而非電腦名稱)。(You can also type the IP address instead of the computer name.)

  4. 出現提示時,會提供認證 BA 帳戶在網域層級的名稱。When prompted, provide credentials for the name of the BA account at the domain-level.

  5. 應該會出現如下所示的對話方塊。A dialog box similar to the following should appear.

    保護的內建的系統管理員帳戶