[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

Terminal Services and Group Policy Access

Hi there,

A quick question I am wondering how to setup a group policy that would restrict users access as in locking down the desktop locking control panel etc, but only when they logged onto our terminal server. So if they log onto a normal workstation this policies are not applied just when they log onto our terminal server but obviously I don't want these policies to be applied to the administrator account at all especially on the TS.

As our users move around some times they will be on TS but not always so when they are on normal workstations they will need to have access to certain they wont when on TS.

I know it can be done just cannot work the logic out in my head.

Michael
0
mickinoz2005
Asked:
mickinoz2005
  • 6
  • 5
  • 5
2 Solutions
 
dmccurdy51Commented:
You will need to great a custom OU in "Users and Computers".  Normally we put this under the servers OU.  
        Right click on the OU and go to the group policy tab.  
        Click the check box for block inheritance.  
             This will prevent other policies from being applied to your terminal server.
        In that same tab create a new Group Policy for Terminal Servers

        For preventing administrators from getting the policy do the following.

0
 
dmccurdy51Commented:
You will need to great a custom OU in "Users and Computers".  Normally we put this under the servers OU.  
        Right click on the OU and go to the group policy tab.  
        Click the check box for block inheritance.  
             This will prevent other policies from being applied to your terminal server.
        In that same tab create a new Group Policy for Terminal Servers

        For preventing administrators from getting the policy do the following:
        Highlight the new group policy, then click properties.
        Select the Security tab.
        Highlight the administrators group and select the deny checkbox.
      
0
 
mickinoz2005Author Commented:
There is not security tab, that is only in windows 2000, so how to I deny the policy to run for administrators in Windows 2003.

Michael
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
dmccurdy51Commented:
My windows 2000 boxes have this tab.

Right click the TS OU
Select Properties
Grou Policy Tab
Highlight the Group Policy Object
Select Properties
There should be a security tab.  
0
 
mickinoz2005Author Commented:
Yeah but I am not using Windows 2000 I am using 2003, and you use group policy managment tool in 2003 it does not look like 2000 so there is no security tab.

Michael
0
 
dmccurdy51Commented:
Ok I mis-understood what you were saying.

    The tab or lack of one is not a result of 2000 vs 2003.  Its a result of having group policy management installed or not.
    I would go to a machine that does not have this utility installed and complete the security change.  That is what I do.

   I was not able to locate it in the GP Management tool as well.  There is some basic functionality under the Delegation tab but nothing I can see that allows deny.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
mickinoz2005,

What you are trying to do is called "User State Management".  Server2003 SP1 and R2 will automatically sense where the user is logging in from and provide the necessary rights controls based on this login location or device.  

For an overview and how-to's please see http://technet2.microsoft.com/WindowsServer/en/Library/23ee2a30-5883-4ffa-b4cf-4cfff3ff8cb71033.mspx

Jeff
TechSoEasy
0
 
mickinoz2005Author Commented:
Hiya dmc,

Just wondering the lack of our tab for security is there no way to access this security tab without not having GPMC as all our servers have it.

Michael
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If all you want is to modify security settings for a particular OU, then you can just go to the OU in ADUC > Right Click for Properties, and then you'll have a Security Tab which you can add a DENY setting for about 100 or so different conatiner objects... you need to change the "Apply Onto" setting to GroupPolicyContainerObjects in order to get the the GP security settings to show up.

Jeff
TechSoEasy
0
 
dmccurdy51Commented:
No I have been unable to find these granular settings under the GPMC.   Try installing the adminpack on a XP workstation and do it from there.  
0
 
dmccurdy51Commented:
TechSoEasy this does not exist in ADUC once the GPMC has been installed.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Really?  Hmmm... it does in mine.

Jeff
TechSoEasy
0
 
mickinoz2005Author Commented:
Hiya,

Just following on from this, I created a ou for Terminal Computers and moved the TS into this ou. I then created a gp under this ou which in theory was going to apply to users when they logged in however it does not. I am trying to lock down the ts so they can't have access to certain areas but no users settings I specify work on this ou. Now I know that if I put computer settings they will work.

So how do I get this ou to apply user settings when the user logs into the TS.

Michael
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Why don't you just follow the lockdown guide... it would be much easier than trying to invent the wheel:

http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

http://support.microsoft.com/kb/278295

Jeff
TechSoEasy
0
 
mickinoz2005Author Commented:
Maybe in this case its not reinventing the wheel more, changing the design, I want to control the level of access to the server. I don't want standard settings applied.

Is it possible to do what I want or not thats basically the question and if so how, got to be something simple.

Michael
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Of course it's possible, that's why I provided the link to that KB above... which describes exactly how to do it.

Jeff
TechSoEasy
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 6
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now