Apply different restrictions when logging into Terminal Services versus Locally

I have a SBS 2003 domain and a windows 2000 server running terminal services in application mode as a member server to this SBS domain.

My question is this.  I have about 30 users that are setup with a default domain policy and and some basic restrictions through GPO.  These users can log into the 2000 terminal server, but I want them to have a restricted set of abilities (e.g. prohibit the shutdown option on the taskbar, etc.)

How can I do this?  I've created a policy object with the set of restrictions that I want, but I'm afraid that if I apply this to my users this will be applied when they log into their desktops as well.  How do I only apply this to their terminal server sessions?

If you could just point me in the right direction!
Who is Participating?
oBdAConnect With a Mentor Commented:
Those policies will apply to a local logon as well; it's the same user account, whether logging on to a desktop or a terminal server.
What you need is the loopback feature.

1. Create a new OU, for example Terminal Server; move the Terminal Server into this OU. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

For testing purposes, you can of course first move a test workstation into the Terminal Server OU, then log on locally; only the policies defined in the TS OU should apply to the account when logging on.

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers
benbeckerAuthor Commented:
Fantastic, I will experiement with this.  Thank you for your promptness!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.