Group Policy to control TS rights

I've asked this question before, but it's gone stale so i'll try and start again and see if I get the answer I need..

I have a customer with an SBS2003 server. I have left TS in administrative mode. There are a couple of users who connect occasionally via TS. I also adminster the server remotely via TS.

To prevent them doing things they shouldn't, I have created a policy to lock down their TS sessions. It works well. Unfortunately, it also locks down their workstations when they log into network internally. The main problem being that they can't shut down their workstation.

I need to apply this policy just to these users only when they login via TS. It was suggested that I put the server in it's own OU and apply the policy to the server, but I think that would also lock down my administrative account.

For the time being, I have given them seperate user accounts to use when they log in via TS. I don't regard this as good solution, so i'm looking for something better.

Anyone any ideas?
ipendleburyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CoccoBillCommented:
You have 2 options, the machine-side settings that have been sugested to you, and loopback policy processing:

How to apply Group Policy objects to Terminal Services servers
http://support.microsoft.com/?kbid=260370

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ipendleburyAuthor Commented:
My knowledge of Group Policy is sadly lacking.

The SBS server is the only computer in the Domain Controllers OU. So is it necessary to create a new OU in order to achieve what I want?
Jay_Jay70Commented:
hmm hmm hmm

once a user policy is assigned to an OU is affects the user whether it logs on locally or via TS, you are stuck in a spot where you seem to want to different things for two different scenarios, which isnt really an option with group policy the way you want it, in our company we are similar, we had to create separate users like you have, for the approp privilides to be available. there is no IF THEN settings in policies as suck   its either yes or no

i will be interested if you find a different solution though as it may also help me out in the future, to this day i know of nothing

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

ipendleburyAuthor Commented:
OK i've done the following...

I've created a new OU called Terminal Servers
I've moved the SBS computer into it
I've created a Security Group called Terminal Server Users and added users to it.
I've created and linked a GPO in the OU and applied it to the Terminal Server Users group.

Nothing happened. The policy hasn't restricted the users at all.

What Have I done wrong?
ipendleburyAuthor Commented:
I've sorted it out. I almost had it right previously. The thing I had neglected to do was to do was to add the SBS box to the security properties for the GPO.

So now I have exactly what I wanted:

I can administer the server both internally and externally.

My users have normal privileges on their workstations in the office.

The same users have locked down sessions when they log in via TS.

Thanks for your help CoccoBill

Jay_Jay70: take a look at KB article 260370.
Jay_Jay70Commented:
cheers mate
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.