Solved

2003 Terminal Services

Posted on 2007-03-28
13
188 Views
Last Modified: 2013-11-21
Hello all,

I have three sites A, B, & C. I have our only server in site A running both my Apps and TS. At B & C I have a site to site VPN back to site A. There are only 4 total users outside the LAN in site A so my load and performance are not issues. But running our program over the VPN and accessing the Database in Site A is very slow and I would like to have those users RDP back top site A over the VPN.

My question is if these workstations already log into the domain over the vpn will I still be able to create GPO that restricts them on the server? I have already created a container with a GPO that restricts access to anything on the server except that program shortcut on the desktop. This was used for outside people who were not ever members of my domain. Now that I want users who have rights in my domain to RDP back to the server, how do I restrict them without affecting their rights through out the rest of the domain?
0
Comment
Question by:mburke3434
  • 7
  • 3
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18813827
mburke3434,

user configuration policies will follow the users everywhere they logon

Computer policies will affect just the computer,.....you have the choice of either

Regards,

James
0
 
LVL 15

Assisted Solution

by:plimpias
plimpias earned 500 total points
ID: 18813858
HI mburke

Jay Jay you are correct. User follow user and computer follow computers.

But to answer your question you can setup a policy that will only take effect when users log into a specific computer.

So you apply A policy to the terminal server computer, not users. (just computer). Then you modify the user settings of the GPO. in the computer configuration you enable looback processing mode, set it to either merge meaning it will merge the other policies or replace.

This is good if someone has three terminal services and they want to restrict settings on them.

So when users log into the terminal service they get the restriction, but they are only restricted when they log into the terminal servers.


Here is more info

http://support.microsoft.com/kb/231287
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18814033
:) much better explanation than mine :)
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 15

Expert Comment

by:plimpias
ID: 18814071
Well just to clarify it's not the same

Your saying user configuration follows the users everywhere
And computer policies affect the computer

Im saying you can do a policy that will affect a user on only certain computers.

So if user a logs into server a b or c, then they get a special policy that does not apply to them elsewhere, only if they log into server a b or c.
0
 

Author Comment

by:mburke3434
ID: 18815336
Having one server only, will applying a restrictive GPO to the Server for those logging directly in affect the user with thiershares and such while not in the server (its also the DC)?
 (I know a 2nd server for TS is best but we have $$ restrictions right now)
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817231
Hi Mburke,


If you apply a policy to the server to users with loopback processing on it will only affect users when they log into the server using terminal services or locally. It will not affect the users when they log in elsewhere, even if it is a DC.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817238
try it out by creating one policy that restricts one setting.
0
 

Author Comment

by:mburke3434
ID: 18818417
Thats what I plan to do... what do you mean with Loopback processing?

And to create a GPO on the DC for people using terminal services or local logon to that machine what is my best course of action? Do I apply the GPO to the Container for Domain Controllers?
0
 
LVL 15

Accepted Solution

by:
plimpias earned 500 total points
ID: 18818459
In this case

You would apply the policy to the Domain Contollers container (you dc should only be listed in the container)

In order for you to apply settings to users with that policy you have to enable loopback processing mode.

So create a policy and call it something like, "User restriction on server"
Then edit the policy and enable loopback processing mode

Click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option (select Merge)

Then go into user configuration and setup the policies that you want to restrict when people log into the DC using terminal service or log on locally.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818460
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818477
Please read the article, it will answer your question "what do you mean with Loopback processing?"
0
 

Author Comment

by:mburke3434
ID: 18821456
Plimpias,

Thanks for all your help..I am having some issues still with the deployment but I will ask those questions with additional points. I hope you can continue to provide help.

James your response was first but Plimpias did provide the detail. Thank you for your response.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18821804
Its a pleasure :)
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question