brigante
asked on
TERMINAL SERVER WINDOWS 2000 USER POLICIES
I have configured a Windows 2000 Server and joined it to an existing Windows NT Domain, hence Active Directory has not been setup. I have configured terminal server in application mode (without licence server) in order to try out this feature. I successfully connect using a client but I would like to restrict access for this user as he is able to use internet explorer, and any other apps on the server running TS. I have looked into Domain Group Policies but this is not running Active Directory and I do not want the changes to affect the users local machine only his TS session. With local server policies the changes applied affect the Administrator aswell as the users. Any information would be grately appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nader alkahtani
http://support.microsoft.com/?kbid=250776
ASKER
Nadir,
Thank you for your prompt response to my question. The extensive information you provide has helped me understand how Group Policies should be setup with an Active Directory Domain which i plan to implement soon. At present though I have the TS server within an NT4.0 Domain so active directory will not be setup on the Terminal Services Server. This unfortunately means that the solution you provide via active directory users and computers cannot be implemented. I have applied basic local server policy restrictions so that users cannot see Start - Programs, icons on desktop etc. But they do have access to the Start - Run so they can run pretty much anything. The most annoying this about this is that it affects the Administrator so if i need to access programs from the start menu i have to remove the policies temporarily.
Thanks again for your efforts! If you can think of anything else I would be very grateful.
Thank you for your prompt response to my question. The extensive information you provide has helped me understand how Group Policies should be setup with an Active Directory Domain which i plan to implement soon. At present though I have the TS server within an NT4.0 Domain so active directory will not be setup on the Terminal Services Server. This unfortunately means that the solution you provide via active directory users and computers cannot be implemented. I have applied basic local server policy restrictions so that users cannot see Start - Programs, icons on desktop etc. But they do have access to the Start - Run so they can run pretty much anything. The most annoying this about this is that it affects the Administrator so if i need to access programs from the start menu i have to remove the policies temporarily.
Thanks again for your efforts! If you can think of anything else I would be very grateful.
Howdy mate, here is my suggestion, alas it's not gonna be worded quite as well as Nadir's as this is just streaming from memory, but here we go. Basically the scenario you're describing is the same as when I first installed TS here at Princess Yachts.
Ok so based on the fact that you don't have an active directory we'll be using the NT4 System Policy Editor instead (POLEDIT.EXE). You might wanna pull down some extra template (ADM) files off the NT4 resource kit for customising the look of your 'exported desktop'.
The basic jist of it is to add/create a group within POLEDIT that's a Global group on your NT4 domain. You can then apply your 'desktop' settings to a selected group of user(s).
Log onto your server as an administrator account, customise your applications, setting in Word and whatever just the way you want them. Then log off as the account and log back onto the server as another administrator account. Create a folder on a shared resource (this can be in your NETLOGON folder on your DC as it needs to be read-only to users). Right-click on My Computer, go into user profiles and 'copy' the profile of the administrator user account you've just customised to the folder on NETLOGON (make sure you've changed the permission so you as a Domain Admin can write to the locale). When you've exported the profile, navigate to that location and rename the NTUSER.DAT file to NTUSER.MAN
Now you can load up POLEDIT again, add your 'group' for Domain admins and remove ticks from the options to block inheritance of your 'lock-down' policy that you're gonna apply to your TS users. Then as I mentioned before create the group for the TS users and customise the policy.
In User Manager for Domains set the TS user profile path to the location where you've exported the profile to. you might wanna share this location so the path is a bit shorter, also 'cos you need to specify this path in POLEDIT and there is a finite restriction on how long it can be. If you also create a share for the desktop, and change the permissions you can stop users from creating their own shortcuts... bit draconian... but there you go.
The only thing remaining is to save you're POLEDIT policy file to NETLOGON, and then load up POLEDIT on your TS box, and set the policy path to \\pdc\netlogon\ts.pol (or bdc) alas you can't use %logonserver% in this field.
Sorry that this is so wordy, it's a bit of a ramble-a-thon... but what the hell. Perhaps it'll help you out, or you'll just have a laugh of the strange and confused way that I first setup TS here... it does make sense... well to me anyway. and it worked for 100 users for 3 years until I upgraded the domain to active directory earlier this year.
Good luck.
Dan.
Ok so based on the fact that you don't have an active directory we'll be using the NT4 System Policy Editor instead (POLEDIT.EXE). You might wanna pull down some extra template (ADM) files off the NT4 resource kit for customising the look of your 'exported desktop'.
The basic jist of it is to add/create a group within POLEDIT that's a Global group on your NT4 domain. You can then apply your 'desktop' settings to a selected group of user(s).
Log onto your server as an administrator account, customise your applications, setting in Word and whatever just the way you want them. Then log off as the account and log back onto the server as another administrator account. Create a folder on a shared resource (this can be in your NETLOGON folder on your DC as it needs to be read-only to users). Right-click on My Computer, go into user profiles and 'copy' the profile of the administrator user account you've just customised to the folder on NETLOGON (make sure you've changed the permission so you as a Domain Admin can write to the locale). When you've exported the profile, navigate to that location and rename the NTUSER.DAT file to NTUSER.MAN
Now you can load up POLEDIT again, add your 'group' for Domain admins and remove ticks from the options to block inheritance of your 'lock-down' policy that you're gonna apply to your TS users. Then as I mentioned before create the group for the TS users and customise the policy.
In User Manager for Domains set the TS user profile path to the location where you've exported the profile to. you might wanna share this location so the path is a bit shorter, also 'cos you need to specify this path in POLEDIT and there is a finite restriction on how long it can be. If you also create a share for the desktop, and change the permissions you can stop users from creating their own shortcuts... bit draconian... but there you go.
The only thing remaining is to save you're POLEDIT policy file to NETLOGON, and then load up POLEDIT on your TS box, and set the policy path to \\pdc\netlogon\ts.pol (or bdc) alas you can't use %logonserver% in this field.
Sorry that this is so wordy, it's a bit of a ramble-a-thon... but what the hell. Perhaps it'll help you out, or you'll just have a laugh of the strange and confused way that I first setup TS here... it does make sense... well to me anyway. and it worked for 100 users for 3 years until I upgraded the domain to active directory earlier this year.
Good luck.
Dan.