2000 terminal server policies
I would like to restrict a user who will terminal in from
home so that they cannot see the local drives of the
server.
However, if I make this change to their group policy they
are not able to see their local drives on their XP client when they are in
the office and logged onto their desktop.
Is there a way that a policy can be applied only when
they terminal in?
Some one mentioned the loopback policy but I am not sure this won't mess up the other teminal clients
home so that they cannot see the local drives of the
server.
However, if I make this change to their group policy they
are not able to see their local drives on their XP client when they are in
the office and logged onto their desktop.
Is there a way that a policy can be applied only when
they terminal in?
Some one mentioned the loopback policy but I am not sure this won't mess up the other teminal clients
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I mean the local drives when they log into another computer not just the terminal
You can leave the user in his regular OU where no (or another set of) policies apply; that's the whole point of the loopback processing.
You only have to create a separate OU for your TS and move only your TS machines in there, enable the loopback processing in a GPO (for that OU only), then create additional GPOs for the user settings. Those will apply (only) to users logging on to the Terminal Server, even though the users are not in that OU.
Note that you can *not* use the GPO in which you enabled the loopback processing to specify the user settings as well; you have to create a separate GPO.
You only have to create a separate OU for your TS and move only your TS machines in there, enable the loopback processing in a GPO (for that OU only), then create additional GPOs for the user settings. Those will apply (only) to users logging on to the Terminal Server, even though the users are not in that OU.
Note that you can *not* use the GPO in which you enabled the loopback processing to specify the user settings as well; you have to create a separate GPO.
ASKER
I have done this and I cannot get the user setting on the new GPO that I created for user settings to apply to the user unless they are in that OU. I figure I am missing something interms of policy inheritence or something but I believe I have tried all the options.
ASKER
Just to verify
I have a OU called Terminal Test
I moved my terminal server in there
I creaded a security group called testterm and have that in the OU as well
I added the test user account to this security group
I created a GPO with the only setting changed being the loopbakc option
I created a second GPO to hide the drives.
On the secuirty for both of these policies I removed the apply policy from Authenticated users and put in on the security group i created
I have a OU called Terminal Test
I moved my terminal server in there
I creaded a security group called testterm and have that in the OU as well
I added the test user account to this security group
I created a GPO with the only setting changed being the loopbakc option
I created a second GPO to hide the drives.
On the secuirty for both of these policies I removed the apply policy from Authenticated users and put in on the security group i created
That's the error: "On the secuirty for *both* of these policies I removed the apply policy from Authenticated users and put in on the security group i created". Currently, you excluded the Terminal Server from applying the loopback processing GPO. In the machine GPO, you can leave the default security settings (I should have stated that more clearly, I guess). The other possibility would be to add the machine account of your Terminal Server to the group as well, but in that case, it would complicate things.
Btw: Your security group can reside in any OU, it doesn't need to be in the TS OU. It can of course stay there, but if you have a separate OU for your groups, you can move it there.
Btw: Your security group can reside in any OU, it doesn't need to be in the TS OU. It can of course stay there, but if you have a separate OU for your groups, you can move it there.
ASKER
That was it. Thanks for al the help
ASKER
The only problem is that inorder to get this to work I need to move the user into the OU that I created. this then hides the local drives.
What am I missing?