Solved

Modification of a previous post, need to clarify

Posted on 2007-11-29
10
291 Views
Last Modified: 2013-12-23
I just got done reviewing the following post:
http://www.experts-exchange.com/Networking/Windows_Networking/NT/Q_20868659.html?eeSearch=true
This is what I thought might fix my issue but I wanted to clarify the differences before I shell out the money for the script editor.

My scenario is this:

We have a windows 2003 server environment with one Windows 2003 terminal server.  We run Navision financials and just went through a rather painful poorly planned upgrade so we are sorting out the kinks.  We were forced to install Navision on the terminal server to run as a remote application when someone logs in because research wasn't done on whether or not the new version would run in our Windows 2000 environment.  So the deal is each person has a printer on their local machine and when each user is in terminal server running the program they need access to this share, which unless it is installed on the terminal server under their login, is not available.  

Currently the AD contains an OU with the remote users accessing Terminal server listed in there, inside this OU is a VB script that auto launches the application and disallows any other functionality of the terminal server resources.  This makes it rather inconvenient to add the shared printer after the fact because i have to go in and remove them from the OU, put them back in the main AD directory, login as each of the users and map their local printer.  This normally would be no big deal had this upgrade been tested and planned properly because I could have done it over the weekend without causing issues to work flow, but that is not the case.  

So I am wondering is it worth it to build a script for each of these users and map their printers that way or should I just remove them from the OU, login and map, put them back in the OU and go from there.  We are only talking about maybe 12 users who need this to happen.  

Thanks everyone for the great advice.  

DD

0
Comment
Question by:dawndelcastillo1
  • 5
  • 3
  • 2
10 Comments
 
LVL 7

Expert Comment

by:djMundy
Comment Utility
Hi DD,

Just to clarify, the purpose of the script you run is to lock down access to a single program?

I personally would go about this a different way - Group Policy.

I've locked down one of my terminal servers to only allow access to a specific list of programs using Group Policy. The policy to use is in User Configuration - Administrative Templates - System, and is called "Run only allowed Windows applications".

You apply this policy to an OU that contains the Terminal SERVER (not the user accounts) and then use the loopback policy to apply this to a group of users. See method too on this Microsoft KB article: http://support.microsoft.com/kb/260370

Important: Make sure that this policy doesn't apply to the Administrator account or you will lock yourself out! Because you have the potential to lock yourself out completely - do some testing with policies that do trivial things like focing a classic start menu, to get your head around the loopback policy feature.

When a user tries to access any other program they will get a "policy violation" error message. There are other settings you'll want to tweak to further lock down the terminal server for these users - mostly in Administrative Tools - Desktop, Start Menu, and Control Panel.

If you need further clarification on any of this please ask.

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
Comment Utility
Hey there, i am in agreement and actually I didn't choose this method the individuals who didn't plan the migration well made this choice. i am not sure why they made the choice to lock it down, maybe security reasons or to make it easier on the users.  

All I really want to do is ensure that they can print from the application from the program.  

0
 
LVL 7

Accepted Solution

by:
djMundy earned 500 total points
Comment Utility
You can still lock it down but there's no need for scripts, it can all be done from Group Policy. The "Run only allowed Windows applications" policy will stop them from running anything except the application you specify, and you can make the program auto-start by putting a shortcut in the Program Files\Startup directory on the start menu.

"Make the solution as simple as possible, but no simpler" - easier to understand and tweak the Group Policy Objects, no need to debug complex VBScript.

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
Comment Utility
DJMundy:

cheers back at you, will this allow me to map printers though, since this is the actual problem?  The printers on their machines are shared locally and I need to be able to map them back to them with the terminal server session.  

Honestly I am really excited to look into this solution, the way the guys set this OU thing up with users has proved rather tedius at best since I have to remove each user from the group and put them back in the main users section, login to the terminal, do what i need to do and put them back in the group before they can run the program in question.  

thank you so much, you have been so helpful and insiteful.

DD

0
 
LVL 3

Expert Comment

by:top_gizmo
Comment Utility
Are you using RDP?

If you are using a terminal server and you want the local drives drives to come over you can just check the 'printer' box in the RDP options and they will be brought over.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:dawndelcastillo1
Comment Utility
we are indeed using rdp, I will login and see if i can bypass the auto application launch for each user.  

thanks for that, that could make this quite simple
0
 
LVL 3

Expert Comment

by:top_gizmo
Comment Utility
You can save the config.  RDP will look for a hidden file called default.rdp in the current users My Documents.  This file does not exist unless a config has been saved.   If checking the printers box works, you can save a config and have a logon script copy it to the users My Documents.
0
 
LVL 7

Expert Comment

by:djMundy
Comment Utility
Hi DD,

I understand the PCs have local printers. Are the PCs in the same local network as the terminal server? If so you can just map the shared printers from a login script, details here:

Windows XP: http://support.microsoft.com/kb/314486/
Windows 2000: http://support.microsoft.com/kb/189105/

If the PCs are in a different network (eg. connecting to the terminal server over the Internet) then the printer should be mapped automatically as long as the driver is installed on the server. See "automatic printer redirection" in the following link (MS Word document):

http://www.microsoft.com/windowsserver2003/techinfo/overview/tsprint.mspx

Cheers,
Daniel
0
 

Author Comment

by:dawndelcastillo1
Comment Utility
djMundy:

well the answer to your question is yes the machines are all on the same local network but here is the issue.  everyone logs onto a PDC for their everyday work and when they want to run the accounting package they have to run it from terminal server.  this means they have a terminal server connection open and minimized on their desktops during the day and go back and forth between environments.  

I am guess that the check box for map local printer will work since most people have the same printers and the drivers are on both servers.  

i will try the login script next time I am out there, which is Thursday.  

stay tuned
cheers back at ya
DD
0
 

Author Closing Comment

by:dawndelcastillo1
Comment Utility
as usual, saved my bacon
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now