My Administrator user once in a while is getting locked-out by the workstations in our lab, due to failed logon attempts.
(While this is a problem that should be addressed, because this means there is something wrong with the techies process, it's a small and less important at the moment)
My main problem is that the Administrator can authenticate from anywhere in the network.
I've tried using GPO ("Deny log on through Remote Desktop Services"), ADUC ("Log On To" list).
While he can't actually logon, the authentication is performed first and only then the system checks if there's a GPO or an ADUC block, thus allowing the Administrator user to get locked-out.
Of course this problem can apply to any user.
My Domain\Forest level is 2008r2, and I don't have a firewall between my LAN and my DC.
So, in short, I want to allow authentication attempts of the Administrator only from a certain computers.
Any suggestions?
You cannot do this, unless you start blocking ports, which won't be limited to a specific user. Sorry. Think of it this way - a Windows system doesn't know who a connecting user is, until they authenticate.
Anyone can attempt to authenticate from any workstation. By way of analagy, you are trying to prevent the janitor from putting the wrong key in any door. The only way stop that is to prevent the janitor from doing so is to simply tell him which key in what door, but you can't stop him from trying without physically stopping him. I'm not sure why you brought up firewall but that's not going to help you either. What might help is not logging in as admin, but rather elevating into it. UAC can help with that.