Solved

An account for terminal users to access

Posted on 2006-07-18
10
173 Views
Last Modified: 2010-04-18
Hi Guys,

just setting up terminal server on a 2003 domain controller. This terminal server will be used for people to log on nan use our CRM package. Obviously, i don't want these users to be able to access anything even remotely dodgy on the domain controller, for obvious reasons, so just want to know how to go about setting up a dumb account, that only really lets them use the CRM package. Also, is there a way i could customise the view, shortcuts, toolbars etc, before given them access to the account (where they WONT be able to change any of my customization)

Thanks, Gavin
0
Comment
Question by:Gavin5511
  • 5
  • 5
10 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17134422
what we do:

set up an OU with your dummy user
apply a group policy to that OU customising it as much as you like and preventing change...there is only so far you can lock a machine down but it is pretty effective
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
0
 
LVL 1

Author Comment

by:Gavin5511
ID: 17139404
right, been reading through that walkthrough, and it could quite possibly be the BEST white paper ever! very clear, very precise, and great for people who can't be bothered to go through hundreds of policies! like me! ;)

i have a problem however.....

It says there are 2 ways of going about it. Locking down the machine, or locking down the users...

Now, the machine that i have installed terminal server on is actually a domain controller, so i'm assuming i can't create a new OU, restrict it, then dump the domain controller in there!

As for the user lockdown, i have a strange problem. we have 5 users in a remote office who use terminal server to connect to our CRM software. Now i can't lock down these 5 users accounts down in an OU either, because they use these accounts to connect to our network over VPN. so, is it possible just to create 1 account, and let them all log on as the same user (eg. all log on as terminaluser1). or would i have to create a locked down account for them to each individually use?

apart from that, i really was impressed with that white paper! thanks!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17143543
no problem, you can use whats called loopback processing for this scenario

http://support.microsoft.com/?id=231287

OR you can create separate users if thats the way you want to go
0
 
LVL 1

Author Comment

by:Gavin5511
ID: 17144934
excleent! i heard somthing about that. i know i might seem a pain, but can u just make things a little clearer for me? do you suggest i created a new OU with the domain controller in it then?
0
 
LVL 1

Author Comment

by:Gavin5511
ID: 17144984
sorry, that probably didn't make sense! do i put loopback policy on a new OU with the domain controller in? do i put loopback policy on a new OU with the 5 individual user profiles in? or do i put loopback policy on a new OU with 1 new user in that all 5 users will use? or do i simple not make a new OU, and apply it to an existing OU?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17145008
leave your DC where it is! as you mentioned before...moving that is a no go!

up to you whether you want a new OU with a new user in it (i would take that path...) make sure you get one working first and then decide if you want one user    or multiple :)
0
 
LVL 1

Author Comment

by:Gavin5511
ID: 17145173
ok, i get it now! so basically, the DC stays the same, but when a user logs on that has got the loopback processing, it changes the way the DC runs JUST for that user? how do i link the user to the DC then?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17145650
the user doesnt get linked to the DC - it just logs on to it and then policy is applied
0
 
LVL 1

Author Comment

by:Gavin5511
ID: 17145722
Cheers man! just tested it and everything works absolutely perfect! what a great bunch of help you have been! i would give you more than 500 points, but i can't! lol! so hope your happy with them!

Cheers, Gavin
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17150239
No problems at all Gavin, glad things work well :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now