 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows 2000 / Terminal Services / June 2005What effects does putting a DC in a new OU have on the domain?
Vera (or anybody else who would like to reply), I am fairly new to TS, GPO and OU. I have a W2k server setup with TS and also have a few XP Professional systems that will be using RDP to connect to the W2k server. I have done some reading here in the group and also looked up referenced articles. My goal is to make changes to the GPO to secure the TS sessions that are created and thus the end user does not see certain things on the server. What I could use some information on is the OU. I see how to create an OU but the W2k server that TS is installed on is also a DC in the domain. Can I still create a TS OU, move the TS server into that OU or will that have an adverse effect on the domain? The TS server has multiple functions in the network as we only have a couple of servers to begin with (print server, some file serving, TS etc.) so I don’t want to make a change that will cause problems with the server’s other duties. Thanks for the assistance and any additional information on OUs that can be offered up, have a great day! Dean Personally, I would never do this, and until recently I believed that it would break things like replication. But a couple of months ago someone else asked the same question, and it turned out that it is actually possible. But I don't think that there is much to gain by this. The whole idea of putting the TS in a separate OU is to be able to apply a GPO to the TS only, not to the other servers in the domain. If you have a single server, then there seems to be no point in moving it. Combining the DC role with the TS role is *not* recommended, partly for this reason. You are severally limited in how you can secure the TS, and you will have all of your users using the DC as their personal workstation. I'd rather combine DC + Print or File Server, and make the TS a dedicated TS. You'll be much happier! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server http://hem.fyristorg.com/vera/IT ___ please respond in newsgroup, NOT by private email ___ "=?Utf-8?B?ZHVuamluZHVkZQ==?=" <dunjindude@discussions.microsoft.com> wrote on 23 jun 2005 in microsoft.public.win2000.termserv.clients: > Vera (or anybody else who would like to reply), > [quoted text clipped - 21 lines] > > Dean So for a follow up question then Vera, I don't see that I will be able to dedicate a server for TS at this point in time. Just not enough people will be using it and we have limited resources. I will have three different systems that will be able to use RDP or the TS Client to access the TS and there will only be one program that is used via TS. If I am not able to use an OU with a separate GPO to help lock down the server, what would you suggest be the next course of action to try and secure the system at least a little (and if possible, take away the abilitie of the clients to see the server drives or at least make it more difficult for them to see the drives)? Thanks again Vera! > Personally, I would never do this, and until recently I believed > that it would break things like replication. But a couple of months [quoted text clipped - 48 lines] > > > > Dean You will have to use NTFS permissions on the file system to keep your users away from the system files. If they will only run a single application, configure this app as the starting application. That way, users will never see the desktop of the server. But note that this in itself is *not* enough to secure your server. If the application has a function to save files, users will still see the servers file system in the Save as.. dialog box of the application. You could also experiment with the "hide drives in my computer" setting in a GPO, but make sure that any such restrictive GPO does *not* apply to Administrators. Otherwise there's a considerable risk of shutting yourself out. 816100 - How To Prevent Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows Server 2003 http://support.microsoft.com/?kbid=816100 I'm sorry, but I have no more detailed advice to give, since I've never done this. Just be very careful before applying any restrictions, and make sure that you have a recent image of the server, in case anything goes wrong. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server http://hem.fyristorg.com/vera/IT ___ please respond in newsgroup, NOT by private email ___ "=?Utf-8?B?ZHVuamluZHVkZQ==?=" <dunjindude@discussions.microsoft.com> wrote on 28 jun 2005 in microsoft.public.win2000.termserv.clients: > So for a follow up question then Vera, > [quoted text clipped - 66 lines] >> > >> > Dean |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.