Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7324
  • Last Modified:

W2K3 Terminal Services Group Policy

I want to restrict TS users when they log in from home whilst giving them full access to their PC in the office.

I only have one 2003 Server in the office, the users can get in fine but any GP changes I make affect their office PC too.  Have tried looking at the Loopback feature but can't get it to work!

The only programs I want them to have access to are Word, Excel, Powerpoint, Access, Outlook and they are only to see the P: Public and U: Users folders.

Any help would be greatly appriciated - they want to run with it asap but I want to lock down first (I already have the MS White paper on what to lock down).

Thanks...
0
ljkal
Asked:
ljkal
  • 7
  • 5
  • 3
  • +2
1 Solution
 
ChryyysCommented:
Try using a local group policy instead of an Active Directory policy.   A local policy will only affect users when they log into the one machine, leaving their office PC's exactly as they are.
0
 
ljkalAuthor Commented:
I've created a new GPO for those guys and a new OU but with just one profile for each user obviously.  The thing is they'll want access from numerous PC's when they're in satelite offices, not just from one remote PC.

The annoying thing is I got it working, installed my licences afterwards and it all screwed - can't get it to work now!
0
 
oBdACommented:
You're on the right track;  with the loopback policy, you can indeed enable different policies depending on where the user logs on to:
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). Reboot the Terminal Servers when it's convenient, so that the new settings will apply.

2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.

To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS):
For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises; you can control who gets which policies applied by changing a user's group membership.

You can/should of course test this with a desktop machine or whatever that you put into a "loopback" OU.

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
ljkalAuthor Commented:
Man, I'm so happy you posted!  Read yr other comments and that's how I got it working ok in the first place, but as I said I installed my licences and it screwed.

I've created the new OU called 'Terminal Services', in there I've created a 'Group' of all the Users who want to work remotley.  But what do you mean my 'put my Terminal Servers in there'?, I tried dragging it over from the 'Built In' Folder but it doesn't move.
0
 
oBdACommented:
Sorry, you're heading in the wrong direction again.
You need a dedicated OU for your terminal servers, where no other machines reside. You do not need (actually, "may" not) put user accounts in that OU.
Actually, with "I only have one server in the office", dou you mean one (dedicated) terminal server, or is that server a DC as well?

If the server is your DC as well, then you don't need to create a separate OU; set the loopback policy and the additional GPOs in the Domain Controllers OU. It's important to create a dedicated GPO to enable the loopback mode as described above, and then additional GPOs for the user settings. But take really, really special care with the application of the GPOs, and make sure that your filtering works as described above! If you don't, you'll lock yourself out from the DC, as the loopback processing will apply the policies to *any* account logging on to the machine in question, if you don't work with GPO permissions! Try this on a test workstation in a separate OU first if you're unsure about the filtering.
0
 
ljkalAuthor Commented:
Ok, I have a single MS 2003 Standard Server as my DC.  I have deleted the TS dedicated OU.  I have now created a TS GPO that sits under my default GPO.  In the TS GPO Properties I have put a tick in the "Disable User Configuration Settings" box and have also gone into Computer Configuration - Administrative Templates - System - Group Policy and enabled (Replace) the "User Group Policy loopback processing mode".

Now, for a simple test in this GPO I've gone into User Configuration - Administrative Tools - Windows Components - Internet Explorer - Browser Menus and Enabled "Hide Favorites Menu" (a pretty safe test!).

In the Properties - Security tab of this TS (Terminal Services) GPO I have Denied  "Apply Group Policy" to the Domain Admins and the Enterprise Admins.  (I have left the ENTERPRISE DOMAIN CONTROLLERS, SYSTEM, CREATOR OWNER, Authenticated Users as they appear).

This still doesn't apply my simple GP (Hide Favorites Menu) when I TS in???????????????  Do I have to add another User Group or users to this list?  What am I doing wrong???

Many thanks in advance...
0
 
oBdACommented:
You seem to have used the same GPO for the Loopback mode and the user setting; as I wrote before, this will NOT work. You need one GPO (you can leave the default permissions) to enable the Loopback feature, and an *additional* GPO (only applied to selected users by security filtering) for the user settings you want to apply.
The machine needs to be rebooted for the Loopback GPO to be applied and working.
0
 
ljkalAuthor Commented:
Aaaaaagh.  So I enable Loopback in my default GPO and uses my new TS GPO for the settings (restrictions) and put the affected users in the Security window?

Will try it now - nearly there - thanks for all this!
0
 
ljkalAuthor Commented:
Tried that and...

My new second GP applies to my TS user AND desktop user.  Arse.

To clarify, my default GPO has User Configuration Settings disabled and Loopback enabled (replace).  I made changes in my new TS GPO.  I created a user group to add my TS Users and added that in the Security as Read and Apply GP boxes ticked.

I know we're not far off but why isn't Loopback working now???????  Have rebooted PC and Server...
0
 
oBdACommented:
Are your user accounts below the OU in which you specified the user settings? If so, then that's why; as I wrote above, the user accounts may not be under the OU in which your TS is.
You need a setup that basically looks like this:

OU TS [GPO Loopback] [GPO TS Logon]
  +---- Terminal Server Account
OU User [GPO Desktop Logon]
  +---- User Accounts
0
 
ljkalAuthor Commented:
Gone through everything with a fine toothed comb and can only locate (under my domain in ADUC) Terminal Server Licence Servers (which won't won't move) which lives under "Builtin", and Terminal Server Computers, under Users.  I think I'm gonna re-build this Server as I no longer trust it after all the changes...Will get back to you guys...!
0
 
oBdACommented:
I don't think there's need for a rebuilt.
Just to check the loopback policy, take a test workstation (W2k or XP), and go through the steps described above: put it into its own OU, make sure no other GPOs apply to it, implement the loopback GPO for the OU, implement the user settings GPO for the OU, and check if the loopback settings work as they should (if you logon with an account that's not under the test OU, the user policy settings from the test OU should apply anyway).
The loopback policy is available on W2k or XP machines available as well, so this should work for testing.
Once you've got this running, it's time to check what's different with your TS.
The loopback policy might look a bit confusing at first, but it's not really that difficult.
0
 
oxymoronxCommented:
I've found the following method easier ...

create an ou specifically for your terminal server ... find the server in the computers folder and drag to the new terminal server ou ... from there you can apply any machine GPO you'd like to link.  remember to disable the user configurations settings.  this way only the gpo applies to users logging into the terminal server ... not to their specific computers.

0
 
initialitCommented:
does the last solution work if the ts server is a dc?
0
 
oxymoronxCommented:
should .. I can't think of any reason why it wouldn't ... unfortunately, it's machine specific so you'll need to have group policy manager on a local workstation or something so you can disable the policy if something goes haywire ...

this will also apply to users who log in locally ... so be careful.

0
 
initialitCommented:
only that you would have to drag it out of the default domain controllers container.  i have never done that, i just wasn't sure if it would be an issue or not.
0
 
oxymoronxCommented:
Actually, if you do that you'll lose the domain controllers default policy ... which is important.  I don't recommend doing that.  since it's is a DC, I wouldn't create the whole OU thing ... if it's your only server, you can simply add the group policy to the Domain Controllers OU  If it isn't your only server, Create the OU and link the existing Domain Controllers default policy and then add the Terminal Server group policy.  again, make sure you have group policy manager or something on a workstation so you can edit the policy if necessary.  
0
 
ljkalAuthor Commented:
It IS the only server in my domain...
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 5
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now