Apply gpo only on loggin on to Terminal Server

M

manualmaster

I have a Terminal Server with gpo's which is running fine. We are now
setting up new users in the same domain as the TS.
When a user logs on the a desktop pc, the policy from the TS is set.
This is not what i want as this policy is far to tight for working on
desktops.

I have tried setting my TS server in a special OU in order to use
loopback. However, on placing my TS in an other OU results in problems
with other servers/programs as my TS is also a DC.

How can I achive that the already available gpo on the TS is not
applied to the user when he/she logs on on a desktop.
Regard, Hugo
 
C

Cary Shultz [A.D. MVP]

Hugo,

This is a rather common setup. What you need to do is to look into GPO with
Loopback processing. You would probably want Replace Merge. Please take a
look at the following MSKB Article:

http://support.microsoft.com/?id=278295

I would use the above MSKB Article as a starting point.

It looks like you might have already tried this. There is a security risk
when you run Terminal Services in Application Mode on a Domain Controller
and it is N O T recommended to do this. I would suggest that you get a
second Server, make it a Member Server and install TS on that. I understand
that this might not be financially feasible, though.

What other issues are you experiencing? Technically speaking, there should
not be any problems with moving the computer account object from the Domain
Controllers OU to another OU. Now, in the same breathe I will say that I do
not recommend doing that, either.

HTH,

Cary


PS. How many total users do you have in your environment and how many will
make use of Terminal Services? How many Domain Controllers do you have?
 
M

manualmaster

Cary,

Thanks, I will try your advice regarding gpo and loopback some evening
this week although I have been working on loopback already. Maybe I
have missed a setting or action somewhere.
We are working on an extra server in order to split the DC and TS.

The issue I had after placing the TS server in another OU was a
problem with Exchange on a second server. Exchange stopped working
because it could not find the replaced server anyone. I do not know
the exact eventlog messages. I did not paid much attention to this to
figure out what was going on. I have returned the TS server to its
original place in the AD and after a few minutes Exchange was working
fine. So, I concluded moving the TS to another OU is not possible.

I have a 25 users in the domain and they all will make use of both TS
as well as desktop PC's.

Regards, Hugo
 
C

Cary Shultz [A.D. MVP]

Hugo,

Thanks for the update. Moving a Domain Controller out of the Domain
Controllers OU is not something that I ever recommend doing, although there
is not supposed to be any problem doing it!

Glad that things are working again and good luck on getting that second
server. For 25 users I can understand the reluctance to have two servers.
Did you consider using Small Business Server 2000? This might have been the
way to go. With SBS2000 you can run everything on the one server ( although
it is still not a good idea to run TS on a Domain Controller!!!! ). In
fact, with SBS2003 you can no longer run TS on that SBS box - you need a
second server!

HTH,

Cary

manualmaster said:
Cary,

Thanks, I will try your advice regarding gpo and loopback some evening
this week although I have been working on loopback already. Maybe I
have missed a setting or action somewhere.
We are working on an extra server in order to split the DC and TS.

The issue I had after placing the TS server in another OU was a
problem with Exchange on a second server. Exchange stopped working
because it could not find the replaced server anyone. I do not know
the exact eventlog messages. I did not paid much attention to this to
figure out what was going on. I have returned the TS server to its
original place in the AD and after a few minutes Exchange was working
fine. So, I concluded moving the TS to another OU is not possible.

I have a 25 users in the domain and they all will make use of both TS
as well as desktop PC's.

Regards, Hugo

"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message
Hugo,

This is a rather common setup. What you need to do is to look into GPO with
Loopback processing. You would probably want Replace Merge. Please take a
look at the following MSKB Article:

http://support.microsoft.com/?id=278295

I would use the above MSKB Article as a starting point.

It looks like you might have already tried this. There is a security risk
when you run Terminal Services in Application Mode on a Domain Controller
and it is N O T recommended to do this. I would suggest that you get a
second Server, make it a Member Server and install TS on that. I understand
that this might not be financially feasible, though.

What other issues are you experiencing? Technically speaking, there should
not be any problems with moving the computer account object from the Domain
Controllers OU to another OU. Now, in the same breathe I will say that I do
not recommend doing that, either.

HTH,

Cary


PS. How many total users do you have in your environment and how many will
make use of Terminal Services? How many Domain Controllers do you have?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top