 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows 2000 / Terminal Services / October 2005Configuring a Group Policy for Terminal Users
I have a single Win2k server running Terminal Services and it also supports a small LAN. Is there a way to configure a GP so that just the TS users cannot see the local drives when they login? I'd like for this GP to only be effective for the remote users. Yes, this is done by using the "loopback processing" option in the GPO, with the "Replace" option. Put the TS machine account (and *not* the user accounts) in a separate OU, link the restrictive GPO to that OU and configure loopback processing. Also make sure that you deny administrators the right to "Apply this policy", otherwise you are locking down yourself as well. 231287 - Loopback Processing of Group Policy http://support.microsoft.com/?kbid=231287 315675 - HOW TO: Keep Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows 2000 http://support.microsoft.com/?kbid=315675 _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "=?Utf-8?B?YmVybmFyZGw=?=" <bernardl@discussions.microsoft.com> wrote on 23 okt 2005 in microsoft.public.win2000.termserv.clients: > I have a single Win2k server running Terminal Services and it > also supports a small LAN. Is there a way to configure a GP so > that just the TS users cannot see the local drives when they > login? > > I'd like for this GP to only be effective for the remote users. Thanks for the info. My remote users work from home and various places, therefore I do not know their TS machine accounts. since these users work remotely only, is there any harm in placing their user accounts in the seperate OU? > Yes, this is done by using the "loopback processing" option in the > GPO, with the "Replace" option. [quoted text clipped - 27 lines] > > > > I'd like for this GP to only be effective for the remote users. You should *NOT* put the user accounts in the OU, but the computer account of the Terminal Server itself! That's what I meant with the TS machine account. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "=?Utf-8?B?YmVybmFyZGw=?=" <bernardl@discussions.microsoft.com> wrote on 24 okt 2005: > Thanks for the info. My remote users work from home and various > places, therefore I do not know their TS machine accounts. since [quoted text clipped - 34 lines] >> > I'd like for this GP to only be effective for the remote >> > users. Ok. What are the ramifications of placing user accounts in the OU? (Just for my curiousity) > You should *NOT* put the user accounts in the OU, but the computer > account of the Terminal Server itself! That's what I meant with [quoted text clipped - 47 lines] > >> > I'd like for this GP to only be effective for the remote > >> > users. That the GPO applies to the users whereever they logon, even on their own workstation. So if you hide the local drives on the TS, you also hide the local drives on their clients. You users are *not* going to like this, I promise you :-) _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "=?Utf-8?B?YmVybmFyZGw=?=" <bernardl@discussions.microsoft.com> wrote on 25 okt 2005: > Ok. What are the ramifications of placing user accounts in the > OU? (Just for my curiousity) [quoted text clipped - 50 lines] >> >> > I'd like for this GP to only be effective for the remote >> >> > users. I cannot locate the computer account for the TS machine! When I go to the AD for Users and Computers the only object I find for the computer is that of the DC, which makes sense because this is a single server network. The only option I have is to Move the object to the OU and of course I wouldn't want to do that. What am I doing wrong? Please advise. > That the GPO applies to the users whereever they logon, even on > their own workstation. [quoted text clipped - 67 lines] > >> >> > I'd like for this GP to only be effective for the remote > >> >> > users. I'm sorry, my fault. I missed the fact that you are running TS on your DC. Then there's nothing that you can do. Use NTFS permissions to secure your server best as you can, but this is inherently an *unsafe* setup. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "=?Utf-8?B?YmVybmFyZGw=?=" <bernardl@discussions.microsoft.com> wrote on 28 okt 2005: > I cannot locate the computer account for the TS machine! When I > go to the AD for Users and Computers the only object I find for [quoted text clipped - 75 lines] >> >> >> > I'd like for this GP to only be effective for the >> >> >> > remote users. If your remote users ONLY logon from remote PCs that are not a member of your domain, then place their accounts in a seperate OU. This will allow you to create a restrictive GP object that will only apply to them. DO NOT move your DC to this OU, it is only for your remote user accounts. You should make the NTFS permissions on your DC more restrictive than default as well. Be careful with this because if you change the permissions incorrectly you could cause things to stop functioning. Strongly consider preventing access to IE, email programs, Instant Messaging, Video playback, etc. Thanks. -TP > Thanks for the info. My remote users work from home and various > places, therefore I do not know their TS machine accounts. since > these users work remotely only, is there any harm in placing their > user accounts in the seperate OU? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.