Active directory profiles

[Matthew Reed]

Hi,
Can anyone help me with the following problem.
I have a terminal server W2K where I have used active
directory to limit the users rights on the terminal
server. However I want the user to have full rights on his
W2K workstation. When the user logs onto his workstation
he recieves the same limitations as he does on the
terminalserver. How can I keep the limitations on the
terminalserver yet give him full access and a local
profile on hs workstation? I have sett up his workstation
as a workgroup member but this is no long term solution.

Any help would be appreciated!
Regards,
Matthew Reed

 

[Matjaz Ladava [MVP]]

Put that user into the local Administrators group on its workstation. This
will give them full control over their Workstation, but not over TS.

--
Regards

Matjaz Ladava, MCSE, MCSA, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Jimmy Harper [MSFT]]

Hi Matthew. To do this, we can use loopback processing for the terminal
server:

1. Put the Terminal Server in a different OU than the user accounts.
2. Create a group policy with the desired restrictions and link it to the
OU that the server is in. In this policy, enable the "User Group Policy
loopback processing mode" setting under Computer Configuration\Admin
Templates\System\Group Policy.
3. Now, any user that logs on to the Terminal Server will get the
restrictions from the policy. When the user logs on to machines that are
not in this OU, they will not get the policy (unless it is also linked to an
OU that the user is under).

For more information on loopback processing, see the following article:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;278295

If you want the user to have a separate roaming profile on the Terminal
Server, you can configure the user account for a Terminal Server profile
path in the properties for the user account in Active Directory.

Hope this helps.