Solved

2003 Terminal Services

Posted on 2007-03-28
13
189 Views
Last Modified: 2013-11-21
Hello all,

I have three sites A, B, & C. I have our only server in site A running both my Apps and TS. At B & C I have a site to site VPN back to site A. There are only 4 total users outside the LAN in site A so my load and performance are not issues. But running our program over the VPN and accessing the Database in Site A is very slow and I would like to have those users RDP back top site A over the VPN.

My question is if these workstations already log into the domain over the vpn will I still be able to create GPO that restricts them on the server? I have already created a container with a GPO that restricts access to anything on the server except that program shortcut on the desktop. This was used for outside people who were not ever members of my domain. Now that I want users who have rights in my domain to RDP back to the server, how do I restrict them without affecting their rights through out the rest of the domain?
0
Comment
Question by:mburke3434
  • 7
  • 3
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18813827
mburke3434,

user configuration policies will follow the users everywhere they logon

Computer policies will affect just the computer,.....you have the choice of either

Regards,

James
0
 
LVL 15

Assisted Solution

by:plimpias
plimpias earned 500 total points
ID: 18813858
HI mburke

Jay Jay you are correct. User follow user and computer follow computers.

But to answer your question you can setup a policy that will only take effect when users log into a specific computer.

So you apply A policy to the terminal server computer, not users. (just computer). Then you modify the user settings of the GPO. in the computer configuration you enable looback processing mode, set it to either merge meaning it will merge the other policies or replace.

This is good if someone has three terminal services and they want to restrict settings on them.

So when users log into the terminal service they get the restriction, but they are only restricted when they log into the terminal servers.


Here is more info

http://support.microsoft.com/kb/231287
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18814033
:) much better explanation than mine :)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 15

Expert Comment

by:plimpias
ID: 18814071
Well just to clarify it's not the same

Your saying user configuration follows the users everywhere
And computer policies affect the computer

Im saying you can do a policy that will affect a user on only certain computers.

So if user a logs into server a b or c, then they get a special policy that does not apply to them elsewhere, only if they log into server a b or c.
0
 

Author Comment

by:mburke3434
ID: 18815336
Having one server only, will applying a restrictive GPO to the Server for those logging directly in affect the user with thiershares and such while not in the server (its also the DC)?
 (I know a 2nd server for TS is best but we have $$ restrictions right now)
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817231
Hi Mburke,


If you apply a policy to the server to users with loopback processing on it will only affect users when they log into the server using terminal services or locally. It will not affect the users when they log in elsewhere, even if it is a DC.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18817238
try it out by creating one policy that restricts one setting.
0
 

Author Comment

by:mburke3434
ID: 18818417
Thats what I plan to do... what do you mean with Loopback processing?

And to create a GPO on the DC for people using terminal services or local logon to that machine what is my best course of action? Do I apply the GPO to the Container for Domain Controllers?
0
 
LVL 15

Accepted Solution

by:
plimpias earned 500 total points
ID: 18818459
In this case

You would apply the policy to the Domain Contollers container (you dc should only be listed in the container)

In order for you to apply settings to users with that policy you have to enable loopback processing mode.

So create a policy and call it something like, "User restriction on server"
Then edit the policy and enable loopback processing mode

Click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option (select Merge)

Then go into user configuration and setup the policies that you want to restrict when people log into the DC using terminal service or log on locally.
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818460
0
 
LVL 15

Expert Comment

by:plimpias
ID: 18818477
Please read the article, it will answer your question "what do you mean with Loopback processing?"
0
 

Author Comment

by:mburke3434
ID: 18821456
Plimpias,

Thanks for all your help..I am having some issues still with the deployment but I will ask those questions with additional points. I hope you can continue to provide help.

James your response was first but Plimpias did provide the detail. Thank you for your response.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18821804
Its a pleasure :)
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question