Solved

Lock down Windows 2003 Terminal Server but not lock down domain accounts

Posted on 2008-06-25
6
755 Views
Last Modified: 2010-04-21
I have a client that has a Windows 2003 Terminal Server.  They have both local users accounts and domain users accounts.  They want to lock down the server to only run their accounting package for their local accounts but not prohibit any functionality to their domain users account.  There aren't a whole lot of lockdown features on the local policies, so I am a little stumped.  I was toying with the idea of creating a GPO and denying the policy to domain users.  Not sure if that will work or not.  Need some advice.
0
Comment
Question by:PCgod2004
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:LKaushal
ID: 21867335
I think this is te only way as 'Machine' policy will restirct or allow all users, co only User policy what you could configure, however, it will apply to all user unless you apply policy on OU level to allow or permit.
0
 

Author Comment

by:PCgod2004
ID: 21867429
will a domain machine policy apply when users log in with local accounts?  I was thinking about creating a Machine GPO and denying the Domain Users account.  Do you think that domain users will still have free roam but the machine policy will prohibit local user account?
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21868290
Why not allow them to log on as a domain account and just restrict what they can do on the server via GPO?
My users can only log into our TS and run accounting software and view mapped drives.
I could take away the mapped drives and all icons on the desktop except the accounting software.  Essentially they would only be able to run the application and thats it.

It would be safer to use domain credentials for logging in then a local account.  Bad idea IMO
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:PCgod2004
ID: 21868507
Not really my choice it's the customers.  I have since convinced them to use a Domain GPO with domain account.  Thanks for all your comments but the issue has been resolved.
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 500 total points
ID: 21868525
Sure - dont forget to close the question
0
 

Author Closing Comment

by:PCgod2004
ID: 31470590
use a Domain GPO with domain account
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TLS 1.0 & Windows 7 - How to disable? 16 118
GPO question for Windows 10 deployment 5 28
Exchange Server Send connector and DNS Round Robin ? 6 44
Barracuda WAF Training? 2 28
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question