Solved

Creating desktop restrictions only on the terminal server

Posted on 2008-10-14
12
304 Views
Last Modified: 2013-11-21
At the company that I work for, we have recently opened up a new facility.  All the files that are used are still stored at the old building.  We have implemented a Terminal Server solution (2X Application Server) to make the bandwidth going back and fourth across the pipe to be as small as possible for speed.  We want to create a desktop that some of your folks can open but want to have restrictions on what they can do.  The main thing would be not to shut down the server when they go to log off.  Is there any way that this can be done on the server and not through AD?  We dont want the functionality of there PC to be any different then they currently are, just when they are using the published desktop, to be limited.  Thanks for the help
0
Comment
Question by:ticgums
  • 6
  • 5
12 Comments
 
LVL 6

Expert Comment

by:Leon Teale
Comment Utility
hello there,

i know you said that you do not want to do it via Active Directory but it is realy easy and simpler to use..

how many machines do you have for load balancing for your TS? or is it just the one?

if that is the case why not log onto the server and change some settings in 'gpedit.msc' that way it will create a local policy for any one with a desktop on that machine..

i currently use citrix and with this i use AD to assign policies and have a citrix users group.
if you would like any help on setting up a policy to do this let me know
0
 

Author Comment

by:ticgums
Comment Utility
We have 2 for load balancing.  I don't want to use AD because i only want the setting to be pertinent while using the TS.  Unless there is a way to do this that the only thing affected would be the TS desktop.

I'll probably take a look at gpedit.msc

Thanks
0
 
LVL 6

Expert Comment

by:Leon Teale
Comment Utility
GPEDIT.msc is just group policy for the local machinie...this is my mistake if i was getting you confused i meant more of using the group policy on your domain controller to apply a policy to the TS machines. and or the users (in a group) that use them..

but for what you are wantin then GEDIT.msc should do the trick ;)

any problems and ill help you out
0
 

Author Comment

by:ticgums
Comment Utility
Well, I could just configure the TS Servers with the GPEDIT.msc and that way it would only affect the users when they log on or off the TS Server Desktop.  How does it work for Admin's?  Are the credentials for Domain admins affected the same way?
0
 
LVL 6

Expert Comment

by:Leon Teale
Comment Utility
unfortunatly yes it will affect everyone...as it is applying it to the machinie which is why i also suggested the group policy on your DC....as this way you can assign it to whom ever you wish...im sure you are familiar with group policy...it is exactly the same as GPEDIT only applied to users and not machines, so to speak.

(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D
0
 

Author Comment

by:ticgums
Comment Utility
Any help on that would be appreciated

Thanks

"(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D"
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 6

Accepted Solution

by:
Leon Teale earned 250 total points
Comment Utility
ok then first thing's first...

on your domain controller..open up 'Group Policy Managment' and open up AD
just in the event you have not done so allready, create an OU and inside that add in both of your TS machines.

my OU is named Citrix Servers and inside that i have CTX1,CTX2,CTX3

on the group policy managemnet console you should now see the OU (Citrix OU) under your domain name.

right click the OU and click 'create and link GPO here..' or something along those lines.

this will now bring up the group policy which i am sure u are familiar with.

do you need any help setting these settings? or are you ok?

this will now only apply to any one logging onto the TS machines as they are the only things in the OU as assigned in AD.

when you have created the 'Group Policy' look for the 'security filter' in here should already be a user/group called 'Authenticated Users' remove the---you dont need it.
now 'Add' your own group..this will be a group of users which will log on to citrix. or you could apply it to '*everyone' and make the doman admins exempt. if you dont know how to do this let me know

Leon


0
 
LVL 2

Expert Comment

by:CPAsAdmin
Comment Utility
Here is a microsoft link to lockdown a terminal server with group policy. You may not need or want all of the options but they are all there for your reference.
 
http://support.microsoft.com/kb/278295
 
0
 

Author Comment

by:ticgums
Comment Utility
Alright, I made my changes to AD (or at least I thought that i did) but the new settings don't seem to be taking affect.  Is there something that I am missing?

Created OU, Moved the TS Servers into the New OU, Set-up my restriction

What did I miss. Thanks.
0
 
LVL 6

Expert Comment

by:Leon Teale
Comment Utility
did you add the group or specific users into the 'security filter' bit at bottom right of the GPMC?
0
 

Author Comment

by:ticgums
Comment Utility
I fixed the problem...learned that you need to actually apply the GP to take affect.
0
 
LVL 6

Expert Comment

by:Leon Teale
Comment Utility
yes sorry i forgot to mention that part :P

it was the next question i would have asked tho.
make sure it is 'linked' to the OU and not 'Enforced'

major difference
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now