Solved

2003 Terminal Services

Posted on 2007-03-28
13
197 Views
Last Modified: 2013-11-21
Hello all,

I have three sites A, B, & C. I have our only server in site A running both my Apps and TS. At B & C I have a site to site VPN back to site A. There are only 4 total users outside the LAN in site A so my load and performance are not issues. But running our program over the VPN and accessing the Database in Site A is very slow and I would like to have those users RDP back top site A over the VPN.

My question is if these workstations already log into the domain over the vpn will I still be able to create GPO that restricts them on the server? I have already created a container with a GPO that restricts access to anything on the server except that program shortcut on the desktop. This was used for outside people who were not ever members of my domain. Now that I want users who have rights in my domain to RDP back to the server, how do I restrict them without affecting their rights through out the rest of the domain?
0
Comment
Question by:mburke3434
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18813827
mburke3434,

user configuration policies will follow the users everywhere they logon

Computer policies will affect just the computer,.....you have the choice of either

Regards,

James
0
 
LVL 15

Assisted Solution

by:plimpias
plimpias earned 500 total points
ID: 18813858
HI mburke

Jay Jay you are correct. User follow user and computer follow computers.

But to answer your question you can setup a policy that will only take effect when users log into a specific computer.

So you apply A policy to the terminal server computer, not users. (just computer). Then you modify the user settings of the GPO. in the computer configuration you enable looback processing mode, set it to either merge meaning it will merge the other policies or replace.

This is good if someone has three terminal services and they want to restrict settings on them.

So when users log into the terminal service they get the restriction, but they are only restricted when they log into the terminal servers.


Here is more info

http://support.microsoft.com/kb/231287
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18814033
:) much better explanation than mine :)
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 15

Expert Comment

by:plimpias
ID: 18814071
Well just to clarify it's not the same

Your saying user configuration follows the users everywhere
And computer policies affect the computer

Im saying you can do a policy that will affect a user on only certain computers.

So if user a logs into server a b or c, then they get a special policy that does not apply to them elsewhere, only if they log into server a b or c.
0
 

Author Comment

by:mburke3434
ID: 18815336
Having one server only, will applying a restrictive GPO to the Server for those logging directly in affect the user with thiershares and such while not in the server (its also the DC)?
 (I know a 2nd server for TS is best but we have $$ restrictions right now)
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817231
Hi Mburke,


If you apply a policy to the server to users with loopback processing on it will only affect users when they log into the server using terminal services or locally. It will not affect the users when they log in elsewhere, even if it is a DC.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817238
try it out by creating one policy that restricts one setting.
0
 

Author Comment

by:mburke3434
ID: 18818417
Thats what I plan to do... what do you mean with Loopback processing?

And to create a GPO on the DC for people using terminal services or local logon to that machine what is my best course of action? Do I apply the GPO to the Container for Domain Controllers?
0
 
LVL 15

Accepted Solution

by:
plimpias earned 500 total points
ID: 18818459
In this case

You would apply the policy to the Domain Contollers container (you dc should only be listed in the container)

In order for you to apply settings to users with that policy you have to enable loopback processing mode.

So create a policy and call it something like, "User restriction on server"
Then edit the policy and enable loopback processing mode

Click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option (select Merge)

Then go into user configuration and setup the policies that you want to restrict when people log into the DC using terminal service or log on locally.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818460
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818477
Please read the article, it will answer your question "what do you mean with Loopback processing?"
0
 

Author Comment

by:mburke3434
ID: 18821456
Plimpias,

Thanks for all your help..I am having some issues still with the deployment but I will ask those questions with additional points. I hope you can continue to provide help.

James your response was first but Plimpias did provide the detail. Thank you for your response.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18821804
Its a pleasure :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question