Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

2003 Terminal Services

Posted on 2007-03-28
13
Medium Priority
?
202 Views
Last Modified: 2013-11-21
Hello all,

I have three sites A, B, & C. I have our only server in site A running both my Apps and TS. At B & C I have a site to site VPN back to site A. There are only 4 total users outside the LAN in site A so my load and performance are not issues. But running our program over the VPN and accessing the Database in Site A is very slow and I would like to have those users RDP back top site A over the VPN.

My question is if these workstations already log into the domain over the vpn will I still be able to create GPO that restricts them on the server? I have already created a container with a GPO that restricts access to anything on the server except that program shortcut on the desktop. This was used for outside people who were not ever members of my domain. Now that I want users who have rights in my domain to RDP back to the server, how do I restrict them without affecting their rights through out the rest of the domain?
0
Comment
Question by:mburke3434
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18813827
mburke3434,

user configuration policies will follow the users everywhere they logon

Computer policies will affect just the computer,.....you have the choice of either

Regards,

James
0
 
LVL 15

Assisted Solution

by:plimpias
plimpias earned 2000 total points
ID: 18813858
HI mburke

Jay Jay you are correct. User follow user and computer follow computers.

But to answer your question you can setup a policy that will only take effect when users log into a specific computer.

So you apply A policy to the terminal server computer, not users. (just computer). Then you modify the user settings of the GPO. in the computer configuration you enable looback processing mode, set it to either merge meaning it will merge the other policies or replace.

This is good if someone has three terminal services and they want to restrict settings on them.

So when users log into the terminal service they get the restriction, but they are only restricted when they log into the terminal servers.


Here is more info

http://support.microsoft.com/kb/231287
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18814033
:) much better explanation than mine :)
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 15

Expert Comment

by:plimpias
ID: 18814071
Well just to clarify it's not the same

Your saying user configuration follows the users everywhere
And computer policies affect the computer

Im saying you can do a policy that will affect a user on only certain computers.

So if user a logs into server a b or c, then they get a special policy that does not apply to them elsewhere, only if they log into server a b or c.
0
 

Author Comment

by:mburke3434
ID: 18815336
Having one server only, will applying a restrictive GPO to the Server for those logging directly in affect the user with thiershares and such while not in the server (its also the DC)?
 (I know a 2nd server for TS is best but we have $$ restrictions right now)
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817231
Hi Mburke,


If you apply a policy to the server to users with loopback processing on it will only affect users when they log into the server using terminal services or locally. It will not affect the users when they log in elsewhere, even if it is a DC.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817238
try it out by creating one policy that restricts one setting.
0
 

Author Comment

by:mburke3434
ID: 18818417
Thats what I plan to do... what do you mean with Loopback processing?

And to create a GPO on the DC for people using terminal services or local logon to that machine what is my best course of action? Do I apply the GPO to the Container for Domain Controllers?
0
 
LVL 15

Accepted Solution

by:
plimpias earned 2000 total points
ID: 18818459
In this case

You would apply the policy to the Domain Contollers container (you dc should only be listed in the container)

In order for you to apply settings to users with that policy you have to enable loopback processing mode.

So create a policy and call it something like, "User restriction on server"
Then edit the policy and enable loopback processing mode

Click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option (select Merge)

Then go into user configuration and setup the policies that you want to restrict when people log into the DC using terminal service or log on locally.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818460
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818477
Please read the article, it will answer your question "what do you mean with Loopback processing?"
0
 

Author Comment

by:mburke3434
ID: 18821456
Plimpias,

Thanks for all your help..I am having some issues still with the deployment but I will ask those questions with additional points. I hope you can continue to provide help.

James your response was first but Plimpias did provide the detail. Thank you for your response.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18821804
Its a pleasure :)
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question