Solved

Lock down Windows 2003 Terminal Server but not lock down domain accounts

Posted on 2008-06-25
6
756 Views
Last Modified: 2010-04-21
I have a client that has a Windows 2003 Terminal Server.  They have both local users accounts and domain users accounts.  They want to lock down the server to only run their accounting package for their local accounts but not prohibit any functionality to their domain users account.  There aren't a whole lot of lockdown features on the local policies, so I am a little stumped.  I was toying with the idea of creating a GPO and denying the policy to domain users.  Not sure if that will work or not.  Need some advice.
0
Comment
Question by:PCgod2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:LKaushal
ID: 21867335
I think this is te only way as 'Machine' policy will restirct or allow all users, co only User policy what you could configure, however, it will apply to all user unless you apply policy on OU level to allow or permit.
0
 

Author Comment

by:PCgod2004
ID: 21867429
will a domain machine policy apply when users log in with local accounts?  I was thinking about creating a Machine GPO and denying the Domain Users account.  Do you think that domain users will still have free roam but the machine policy will prohibit local user account?
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21868290
Why not allow them to log on as a domain account and just restrict what they can do on the server via GPO?
My users can only log into our TS and run accounting software and view mapped drives.
I could take away the mapped drives and all icons on the desktop except the accounting software.  Essentially they would only be able to run the application and thats it.

It would be safer to use domain credentials for logging in then a local account.  Bad idea IMO
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:PCgod2004
ID: 21868507
Not really my choice it's the customers.  I have since convinced them to use a Domain GPO with domain account.  Thanks for all your comments but the issue has been resolved.
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 500 total points
ID: 21868525
Sure - dont forget to close the question
0
 

Author Closing Comment

by:PCgod2004
ID: 31470590
use a Domain GPO with domain account
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question