Terminal Server & Group Policy

What is the best way to create a group policy strictly for Terminal Server Sessions.
I want a locked down policy that is very restrictive for users while they are logged into a Terminal Server Session but when they are logged into the domain working on their own PC desktop I want them to be able to do pretty much anything.

Seems to me when you assing a group policy to a OU, the members inside get it applied to them whether they are using their own PC or logged onto the Term. Server.

This is for Windows Server 2003 Standard Edition
Clients are Win XP Pro, XP Home, NT Workstaion & Win 98

Who is Participating?
Set the permissions on the Loopback policy back to the default (Read and Apply for "Authenticated Users"); the "user" that has to have access to this GPO is (as this is a computer policy) the machine itself. You could of course create a security group for this as well, make the DC member of it, and allow access to this group, but for this GPO, it's not really necessary.
And, yes, as I wrote before, user policies applied by a loopback will apply to all users logging on to the machine. But as with NTFS permissions, you shouldn't apply permissions to single user accounts. Use a dedicated global group instead to allow access to this policy, as described above. This is all the more important if this machine is a DC, since you most certainly do not want find yourself locked out completely by accident; this is less likely to happen with a dedicated group.
If I remember correctly, the server does need a complete restart for the loopback policy to work; running gpupdate is not enough.
Nirmal SharmaSolution ArchitectCommented:
saunaGAuthor Commented:
I have a group policy that does something similar to this but the problem is that it is applied to the user even when they are logged onto their own computer and I don't want that.
For example this policy does not let the user see the local disks.
This is good when they are logged into Terminal Server but when they are working on their own PC, they still can't see their local disks - this is bad..
How do i seperate the two?
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

You need the Loopback policy to enable different policies depending on whether the user logs on to a terminal server session or a desktop:
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). Reboot the Terminal Servers when it's convenient, so that the new settings will apply.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises; you can control who gets which policies applied by changing a user's group membership.
You can/should of course test this with a desktop machine or whatever that you put into a "loopback" OU.

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers
Nirmal SharmaSolution ArchitectCommented:

Eh?..I got it wrong..You don't want to create a Group Policy to lock down terminal server.
Nirmal SharmaSolution ArchitectCommented:
Need to say something to oBdA...but i don't see in your profile the thing which i am looking.
saunaGAuthor Commented:
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties

I don't understand the reason for this.  In properties of the GPO there is a check box for "Disable User Configuration Settings" and I assume this is what you are referring to.  If i check it, the GPO ignores all the policies set in the User Configuration section.  I want to use the different User Configuration settings to lock down the Term Server, for example using the setting which is in User Configuration that allows you to restrict the user to only running programs on a list you provide.  In addition the explanation behind this is that it is strictly to improve performance.

Am i missing something?  When you setup security in this manner depending on what computer the user is logged onto do only 'Computer Configuration' policies apply?  I would think 'User Configuration' policies would still apply. right?

Please read again: You have to have a dedicated GPO for the Loopback setting. Any user settings that might be configured in that GPO will not be applied (for whatever reason). Since you can't use user settings in that GPO anyway, you can as well deactivate the user part.
So once you have your Loopback GPO in place, you can happily add more GPOs with as many user configurations as you are able to carry.
saunaGAuthor Commented:
Ok, understand your comment but still not working for me.
In my setup i only have one server, so it is domain controller and terminal server.  I dont think that matters but...

In active directory there is an OU called 'Domain Controllers' containing my server.
in this OU i created the LOOPBACK GPO that in computer config-admin template-system-group policy   i enabled User group policy loopback processing mode
in the security tab for this GPO the only objects that have Read and 'Apply Group Policy' permissions are the built in group 'Remote Desktop Users' and a user 'tom'  (me)
Underneath this GPO, i have a 2nd GPO called  'Remote DEsktop Users Policy'   Again only Remote Desktop Users and tom have Read and Apply Group policy privileges.
 i found that if Authenticated users have Read and Apply Group Policy privileges, then the administrator can get their privilieges restricted.

i have done gpupdate /Force
i have not restarted the server (i can't right now) but i think it should be working without a restart.

am i missing something?
saunaGAuthor Commented:
Thanks, i got it now.  Works just the way I want it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.