TS Policy Problem

[Simon Whittington]

Hi

I am trying to set up a SBS2K Server and allow users to log in normally from
their PC's on the domain AND log in to Terminal Services.

I have set up an OU and applied a group policy as recommended by Microsoft
to lock down access when in TS but when the user logs on to their PC the
same policy is applied which then gives them the specified desktop etc that
the policy states.

Is there a way around this so that the user can use the locked down TS
policy and have the normal full usage of their PC when they log in at their
desk?

Any help would be appreciated.

Thanks

Simon W

 

[stevta [MSFT]]

Put the TS machine in a new OU. Apply the policy you created to this OU.

Make sure to enable "loopback" for this policy.

Delete the link for the policy on the Domain container so it does not apply
to everything in the domain.

Essentially this policy is applied to the Terminal Server the user setting
is the policy will not apply when a user logs on because the policy is not
applied to them. By enabling loopback the policy will be applied to the
machine and re-applied when a new user logs on. This will apply the user
configuration settings to the user logging onto the box.

If you do a properties on the group policy you can explicitly "deny apply
group policy" permissions to the domain admins so if they logon they will
nto get the policy applied to them.This is called group policy filtering.