Solved

Modification of a previous post, need to clarify

Posted on 2007-11-29
10
294 Views
Last Modified: 2013-12-23
I just got done reviewing the following post:
http://www.experts-exchange.com/Networking/Windows_Networking/NT/Q_20868659.html?eeSearch=true
This is what I thought might fix my issue but I wanted to clarify the differences before I shell out the money for the script editor.

My scenario is this:

We have a windows 2003 server environment with one Windows 2003 terminal server.  We run Navision financials and just went through a rather painful poorly planned upgrade so we are sorting out the kinks.  We were forced to install Navision on the terminal server to run as a remote application when someone logs in because research wasn't done on whether or not the new version would run in our Windows 2000 environment.  So the deal is each person has a printer on their local machine and when each user is in terminal server running the program they need access to this share, which unless it is installed on the terminal server under their login, is not available.  

Currently the AD contains an OU with the remote users accessing Terminal server listed in there, inside this OU is a VB script that auto launches the application and disallows any other functionality of the terminal server resources.  This makes it rather inconvenient to add the shared printer after the fact because i have to go in and remove them from the OU, put them back in the main AD directory, login as each of the users and map their local printer.  This normally would be no big deal had this upgrade been tested and planned properly because I could have done it over the weekend without causing issues to work flow, but that is not the case.  

So I am wondering is it worth it to build a script for each of these users and map their printers that way or should I just remove them from the OU, login and map, put them back in the OU and go from there.  We are only talking about maybe 12 users who need this to happen.  

Thanks everyone for the great advice.  

DD

0
Comment
Question by:dawndelcastillo1
  • 5
  • 3
  • 2
10 Comments
 
LVL 7

Expert Comment

by:djMundy
ID: 20379708
Hi DD,

Just to clarify, the purpose of the script you run is to lock down access to a single program?

I personally would go about this a different way - Group Policy.

I've locked down one of my terminal servers to only allow access to a specific list of programs using Group Policy. The policy to use is in User Configuration - Administrative Templates - System, and is called "Run only allowed Windows applications".

You apply this policy to an OU that contains the Terminal SERVER (not the user accounts) and then use the loopback policy to apply this to a group of users. See method too on this Microsoft KB article: http://support.microsoft.com/kb/260370

Important: Make sure that this policy doesn't apply to the Administrator account or you will lock yourself out! Because you have the potential to lock yourself out completely - do some testing with policies that do trivial things like focing a classic start menu, to get your head around the loopback policy feature.

When a user tries to access any other program they will get a "policy violation" error message. There are other settings you'll want to tweak to further lock down the terminal server for these users - mostly in Administrative Tools - Desktop, Start Menu, and Control Panel.

If you need further clarification on any of this please ask.

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
ID: 20379735
Hey there, i am in agreement and actually I didn't choose this method the individuals who didn't plan the migration well made this choice. i am not sure why they made the choice to lock it down, maybe security reasons or to make it easier on the users.  

All I really want to do is ensure that they can print from the application from the program.  

0
 
LVL 7

Accepted Solution

by:
djMundy earned 500 total points
ID: 20380081
You can still lock it down but there's no need for scripts, it can all be done from Group Policy. The "Run only allowed Windows applications" policy will stop them from running anything except the application you specify, and you can make the program auto-start by putting a shortcut in the Program Files\Startup directory on the start menu.

"Make the solution as simple as possible, but no simpler" - easier to understand and tweak the Group Policy Objects, no need to debug complex VBScript.

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
ID: 20383868
DJMundy:

cheers back at you, will this allow me to map printers though, since this is the actual problem?  The printers on their machines are shared locally and I need to be able to map them back to them with the terminal server session.  

Honestly I am really excited to look into this solution, the way the guys set this OU thing up with users has proved rather tedius at best since I have to remove each user from the group and put them back in the main users section, login to the terminal, do what i need to do and put them back in the group before they can run the program in question.  

thank you so much, you have been so helpful and insiteful.

DD

0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20386678
Are you using RDP?

If you are using a terminal server and you want the local drives drives to come over you can just check the 'printer' box in the RDP options and they will be brought over.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:dawndelcastillo1
ID: 20386963
we are indeed using rdp, I will login and see if i can bypass the auto application launch for each user.  

thanks for that, that could make this quite simple
0
 
LVL 3

Expert Comment

by:top_gizmo
ID: 20387940
You can save the config.  RDP will look for a hidden file called default.rdp in the current users My Documents.  This file does not exist unless a config has been saved.   If checking the printers box works, you can save a config and have a logon script copy it to the users My Documents.
0
 
LVL 7

Expert Comment

by:djMundy
ID: 20399430
Hi DD,

I understand the PCs have local printers. Are the PCs in the same local network as the terminal server? If so you can just map the shared printers from a login script, details here:

Windows XP: http://support.microsoft.com/kb/314486/
Windows 2000: http://support.microsoft.com/kb/189105/

If the PCs are in a different network (eg. connecting to the terminal server over the Internet) then the printer should be mapped automatically as long as the driver is installed on the server. See "automatic printer redirection" in the following link (MS Word document):

http://www.microsoft.com/windowsserver2003/techinfo/overview/tsprint.mspx

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
ID: 20400886
djMundy:

well the answer to your question is yes the machines are all on the same local network but here is the issue.  everyone logs onto a PDC for their everyday work and when they want to run the accounting package they have to run it from terminal server.  this means they have a terminal server connection open and minimized on their desktops during the day and go back and forth between environments.  

I am guess that the check box for map local printer will work since most people have the same printers and the drivers are on both servers.  

i will try the login script next time I am out there, which is Thursday.  

stay tuned
cheers back at ya
DD
0
 

Author Closing Comment

by:dawndelcastillo1
ID: 31411857
as usual, saved my bacon
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now