Solved

2003 Terminal Services

Posted on 2007-03-28
13
184 Views
Last Modified: 2013-11-21
Hello all,

I have three sites A, B, & C. I have our only server in site A running both my Apps and TS. At B & C I have a site to site VPN back to site A. There are only 4 total users outside the LAN in site A so my load and performance are not issues. But running our program over the VPN and accessing the Database in Site A is very slow and I would like to have those users RDP back top site A over the VPN.

My question is if these workstations already log into the domain over the vpn will I still be able to create GPO that restricts them on the server? I have already created a container with a GPO that restricts access to anything on the server except that program shortcut on the desktop. This was used for outside people who were not ever members of my domain. Now that I want users who have rights in my domain to RDP back to the server, how do I restrict them without affecting their rights through out the rest of the domain?
0
Comment
Question by:mburke3434
  • 7
  • 3
  • 3
13 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
mburke3434,

user configuration policies will follow the users everywhere they logon

Computer policies will affect just the computer,.....you have the choice of either

Regards,

James
0
 
LVL 15

Assisted Solution

by:plimpias
plimpias earned 500 total points
Comment Utility
HI mburke

Jay Jay you are correct. User follow user and computer follow computers.

But to answer your question you can setup a policy that will only take effect when users log into a specific computer.

So you apply A policy to the terminal server computer, not users. (just computer). Then you modify the user settings of the GPO. in the computer configuration you enable looback processing mode, set it to either merge meaning it will merge the other policies or replace.

This is good if someone has three terminal services and they want to restrict settings on them.

So when users log into the terminal service they get the restriction, but they are only restricted when they log into the terminal servers.


Here is more info

http://support.microsoft.com/kb/231287
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
:) much better explanation than mine :)
0
 
LVL 15

Expert Comment

by:plimpias
Comment Utility
Well just to clarify it's not the same

Your saying user configuration follows the users everywhere
And computer policies affect the computer

Im saying you can do a policy that will affect a user on only certain computers.

So if user a logs into server a b or c, then they get a special policy that does not apply to them elsewhere, only if they log into server a b or c.
0
 

Author Comment

by:mburke3434
Comment Utility
Having one server only, will applying a restrictive GPO to the Server for those logging directly in affect the user with thiershares and such while not in the server (its also the DC)?
 (I know a 2nd server for TS is best but we have $$ restrictions right now)
0
 
LVL 15

Expert Comment

by:plimpias
Comment Utility
Hi Mburke,


If you apply a policy to the server to users with loopback processing on it will only affect users when they log into the server using terminal services or locally. It will not affect the users when they log in elsewhere, even if it is a DC.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:plimpias
Comment Utility
try it out by creating one policy that restricts one setting.
0
 

Author Comment

by:mburke3434
Comment Utility
Thats what I plan to do... what do you mean with Loopback processing?

And to create a GPO on the DC for people using terminal services or local logon to that machine what is my best course of action? Do I apply the GPO to the Container for Domain Controllers?
0
 
LVL 15

Accepted Solution

by:
plimpias earned 500 total points
Comment Utility
In this case

You would apply the policy to the Domain Contollers container (you dc should only be listed in the container)

In order for you to apply settings to users with that policy you have to enable loopback processing mode.

So create a policy and call it something like, "User restriction on server"
Then edit the policy and enable loopback processing mode

Click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option (select Merge)

Then go into user configuration and setup the policies that you want to restrict when people log into the DC using terminal service or log on locally.
0
 
LVL 15

Expert Comment

by:plimpias
Comment Utility
0
 
LVL 15

Expert Comment

by:plimpias
Comment Utility
Please read the article, it will answer your question "what do you mean with Loopback processing?"
0
 

Author Comment

by:mburke3434
Comment Utility
Plimpias,

Thanks for all your help..I am having some issues still with the deployment but I will ask those questions with additional points. I hope you can continue to provide help.

James your response was first but Plimpias did provide the detail. Thank you for your response.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
Its a pleasure :)
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now