Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Lock down Windows 2003 Terminal Server but not lock down domain accounts

Posted on 2008-06-25
6
Medium Priority
?
759 Views
Last Modified: 2010-04-21
I have a client that has a Windows 2003 Terminal Server.  They have both local users accounts and domain users accounts.  They want to lock down the server to only run their accounting package for their local accounts but not prohibit any functionality to their domain users account.  There aren't a whole lot of lockdown features on the local policies, so I am a little stumped.  I was toying with the idea of creating a GPO and denying the policy to domain users.  Not sure if that will work or not.  Need some advice.
0
Comment
Question by:PCgod2004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:LKaushal
ID: 21867335
I think this is te only way as 'Machine' policy will restirct or allow all users, co only User policy what you could configure, however, it will apply to all user unless you apply policy on OU level to allow or permit.
0
 

Author Comment

by:PCgod2004
ID: 21867429
will a domain machine policy apply when users log in with local accounts?  I was thinking about creating a Machine GPO and denying the Domain Users account.  Do you think that domain users will still have free roam but the machine policy will prohibit local user account?
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21868290
Why not allow them to log on as a domain account and just restrict what they can do on the server via GPO?
My users can only log into our TS and run accounting software and view mapped drives.
I could take away the mapped drives and all icons on the desktop except the accounting software.  Essentially they would only be able to run the application and thats it.

It would be safer to use domain credentials for logging in then a local account.  Bad idea IMO
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:PCgod2004
ID: 21868507
Not really my choice it's the customers.  I have since convinced them to use a Domain GPO with domain account.  Thanks for all your comments but the issue has been resolved.
0
 
LVL 24

Accepted Solution

by:
ryansoto earned 1500 total points
ID: 21868525
Sure - dont forget to close the question
0
 

Author Closing Comment

by:PCgod2004
ID: 31470590
use a Domain GPO with domain account
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
What we learned in Webroot's webinar on multi-vector protection.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question