Configuring a Group Policy for Terminal Users

[Guest]

I have a single Win2k server running Terminal Services and it also supports a
small LAN. Is there a way to configure a GP so that just the TS users cannot
see the local drives when they login?

I'd like for this GP to only be effective for the remote users.

 

[Vera Noest [MVP]]

Yes, this is done by using the "loopback processing" option in the
GPO, with the "Replace" option.

Put the TS machine account (and *not* the user accounts) in a
separate OU, link the restrictive GPO to that OU and configure
loopback processing. Also make sure that you deny administrators
the right to "Apply this policy", otherwise you are locking down
yourself as well.

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

 

[Guest]

Thanks for the info. My remote users work from home and various places,
therefore I do not know their TS machine accounts. since these users work
remotely only, is there any harm in placing their user accounts in the
seperate OU?

 

[Vera Noest [MVP]]

You should *NOT* put the user accounts in the OU, but the computer
account of the Terminal Server itself! That's what I meant with
the TS machine account.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[Guest]

Ok. What are the ramifications of placing user accounts in the OU? (Just for
my curiousity)

 

[Vera Noest [MVP]]

That the GPO applies to the users whereever they logon, even on
their own workstation.

So if you hide the local drives on the TS, you also hide the local
drives on their clients.

You users are *not* going to like this, I promise you

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[Guest]

I cannot locate the computer account for the TS machine! When I go to the AD
for Users and Computers the only object I find for the computer is that of
the DC, which makes sense because this is a single server network. The only
option I have is to Move the object to the OU and of course I wouldn't want
to do that. What am I doing wrong? Please advise.

 

[Vera Noest [MVP]]

I'm sorry, my fault. I missed the fact that you are running TS on
your DC.
Then there's nothing that you can do.
Use NTFS permissions to secure your server best as you can, but
this is inherently an *unsafe* setup.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[TP]

If your remote users ONLY logon from remote PCs that are
not a member of your domain, then place their accounts in
a seperate OU. This will allow you to create a restrictive
GP object that will only apply to them. DO NOT move
your DC to this OU, it is only for your remote user accounts.

You should make the NTFS permissions on your DC more
restrictive than default as well. Be careful with this because
if you change the permissions incorrectly you could cause
things to stop functioning.

Strongly consider preventing access to IE, email programs,
Instant Messaging, Video playback, etc.

Thanks.

-TP