Mydaj,
I might suggest that you take a look at the posting that I made in the
Terminal Services.Apps NewsGroups about this. For your convenience I have
copied the content for you. I hope that this will clarify the situation for
you!
=======================================================================
Yvonne,
What I would do is to do this:
1) install WIN2000 Server as a Member Server on a server-class machine that
has the hardware to handle your load
2) create an OU called TermServer - or whatever makes sense for you - and
move that machine account object into
this OU ( by default the computer account object will be located in the
Computers Container )
3) Install Terminal Services in Application Mode
4) Follow Patrick's suggestion on locking down the C:\ folder and the
C:\Program Files folder
5) Follow MSKB Article 278295 to create a group policy that you apply to the
OU 'TERMSERVER'. You will use the Group Policy - Loopback in replace mode
( most probably what you would want; merge mode it the other choice )
6) Follow MSKB Article 315675 to avoid locking down the Administrator
account on the TS ( essentially what you do is remove the 'Authenticated
Users' security group and replace it with a security group that you create
which will hold all of the user account objects that will connect to the
TS )
7) Install your applications.....you may need to relax the permissions that
you set in step 4 a bit on certain folders. For example, I have found that
installing MS Office from an Administrative Installation Point works just
fine with the permissions as set by step 4 - as does Adobe Acrobat Reader
and a slew of other applications. However, that might not be the case for
every application.
8) follow Tip 0851 from JSIInc (
http://www.jsiinc.com ) to create a TS
specific logon-script if this is appropriate( thus, your users will have
two logon scripts: one when the logon to their pcs and one when they connect
to the TS ).
I might suggest that you follow 278295 but play with it for a bit. For
example, you have to install all of the software that you want installed
before you enable the 'Disable Windows Installer' and set it to 'Always'.
You will also want to have created four separate folders for the
Redirection. Do not put them all in the same folder...this could end up
being a mess. I like to use \\servername\appdata\%username% for the
Application Data, \\servername\desktop\%username% for the Desktop and
\\servername\start\%username% for the Start Menu. You need to be careful
with the My Documents redirection. If you make use of this for their
'normal' logon you will want to ensure that you redirect their TS Connection
My Documents folder to the same location....
You might want to play with the 'Remove Common Program Groups from the Start
Menu'. I like this to be enabled so that the Office stuff ( as well as
other applications ) shows up. You can simply modify the permissions on the
'Administrative Tools' so that only the Administrators group has access to
it!
Now, to answer your question:
When you invoke the Group Policy in Loopback mode / Replace what you are
doing is telling AD to forget about the normal flow of Group Policies (
first any GPOs that are linked to the OU in which that particular computer
account object is located are applied at start up and then any GPOs that are
linked to the OU in which that particular user account object is located are
applied at logon ). What happens in this mode ( replace ) is that the
policies that affect the computer side configuration are applied ( based on
the policies linked to the OU in which the computer account object resides )
while the policies that affect the user side configuration are completely
ignored ( based on the policies linked to the OU in which the user account
object resides ). As you can see from 278295 you are configuring both
computer side as well as user side configuration settings!
Does this big mess help explain things to you?
HTH,
Cary
=========================================================================
If this does not clarify things for you then please let us know!
Just keep in mind that GPOs adhere to the following flow: Computer
Configuration from local, Site, Domain then OU - User Configuration from
local, Site, Domain then OU.
Cary
