johnbowden
asked on
terminal service access on a single domain server
I have a single windows 2003 standard server running as a domain controller. I have installed terminal server licenses on it and am hoping to have it set up so that the existing users can log in through rdp to access their programs and data.
I have created a GPO for the terminal services users which is restrictive of what they can do. I'm trying to figure out how I can do this so that I can have the same users logging into the lan and having full access to their pc and then when they are out of the office, they can still have access to their data without having full access to the server.
I have created a GPO for the terminal services users which is restrictive of what they can do. I'm trying to figure out how I can do this so that I can have the same users logging into the lan and having full access to their pc and then when they are out of the office, they can still have access to their data without having full access to the server.
apply the GPO to computer settings. If you want do what you want with computer settings. Create policy for the server.....configure user settings, then enable loopback,. this wont affect them at desktop but will at server
not that you should be putting this on a DC and applying policies
Set up another member server and use that to host terminal services. While you can put TS in a DC with Windows 2003 is is highly discouraged (in fact prohibited in SBS Server - it simply will not let you do it) as it blows your security wide open.
ASKER
Hi guys, thanks for the suggestions. Yes, I do have a reason and that is the fact that it is a small organization (10 users) and there isn't alot of money to be spent in this area. We started off with PC Anywhere but RDP is so much faster and the users that have tried it, really like it over PCA. With PCA, we had issues with machines not being left on, users sharing pc's when logging in etc. Anyway, terminal services is the way that we want to go. Later, down the road, we may have to purchase another server to use as a terminal server.
Ok, so make the assumption that I'm going to have to make this work, I take my group policy which has both machine and user settings, where am I putting the policy?
Here is my OU;
company.ca.local
local users
all domain users are here
local computers
local computers are here
domain controlers
local server is here
Ok, so make the assumption that I'm going to have to make this work, I take my group policy which has both machine and user settings, where am I putting the policy?
Here is my OU;
company.ca.local
local users
all domain users are here
local computers
local computers are here
domain controlers
local server is here
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Ok, so I've created my TS GPO which locks down a remote user logging into the server, I've set the loopback processing mode to replace, and I've put the GPO link under the domain controllers. now what do I do with all of the user settings that I have in that same gpo?
the user settings now apply to computers
I know you probably have a reason for installing all of this on one server, but just so you know (and for the record), installing terminal services on a DC and using it as an application server is a BAD BAD BAD idea.
"Avoid installing Terminal Services on a domain controller for application sharing. Users or groups that access the Terminal Server must have the Log on Locally permission. If Terminal Services is installed on a domain controller, users would have the Log on Locally permission for all domain controllers within the domain. Terminal Services should only be installed on domain controllers in Remote Administration mode only. In addition, the Log on Locally permission should be granted only to administrators"
http://www.microsoft.com/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.mspx
Once again, BAD IDEA
Ok, now that i have said that a couple times, check this article out, with some key info
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247989
Danno