• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Creating desktop restrictions only on the terminal server

At the company that I work for, we have recently opened up a new facility.  All the files that are used are still stored at the old building.  We have implemented a Terminal Server solution (2X Application Server) to make the bandwidth going back and fourth across the pipe to be as small as possible for speed.  We want to create a desktop that some of your folks can open but want to have restrictions on what they can do.  The main thing would be not to shut down the server when they go to log off.  Is there any way that this can be done on the server and not through AD?  We dont want the functionality of there PC to be any different then they currently are, just when they are using the published desktop, to be limited.  Thanks for the help
0
ticgums
Asked:
ticgums
  • 6
  • 5
1 Solution
 
Leon TealePenetration TesterCommented:
hello there,

i know you said that you do not want to do it via Active Directory but it is realy easy and simpler to use..

how many machines do you have for load balancing for your TS? or is it just the one?

if that is the case why not log onto the server and change some settings in 'gpedit.msc' that way it will create a local policy for any one with a desktop on that machine..

i currently use citrix and with this i use AD to assign policies and have a citrix users group.
if you would like any help on setting up a policy to do this let me know
0
 
ticgumsAuthor Commented:
We have 2 for load balancing.  I don't want to use AD because i only want the setting to be pertinent while using the TS.  Unless there is a way to do this that the only thing affected would be the TS desktop.

I'll probably take a look at gpedit.msc

Thanks
0
 
Leon TealePenetration TesterCommented:
GPEDIT.msc is just group policy for the local machinie...this is my mistake if i was getting you confused i meant more of using the group policy on your domain controller to apply a policy to the TS machines. and or the users (in a group) that use them..

but for what you are wantin then GEDIT.msc should do the trick ;)

any problems and ill help you out
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ticgumsAuthor Commented:
Well, I could just configure the TS Servers with the GPEDIT.msc and that way it would only affect the users when they log on or off the TS Server Desktop.  How does it work for Admin's?  Are the credentials for Domain admins affected the same way?
0
 
Leon TealePenetration TesterCommented:
unfortunatly yes it will affect everyone...as it is applying it to the machinie which is why i also suggested the group policy on your DC....as this way you can assign it to whom ever you wish...im sure you are familiar with group policy...it is exactly the same as GPEDIT only applied to users and not machines, so to speak.

(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D
0
 
ticgumsAuthor Commented:
Any help on that would be appreciated

Thanks

"(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D"
0
 
Leon TealePenetration TesterCommented:
ok then first thing's first...

on your domain controller..open up 'Group Policy Managment' and open up AD
just in the event you have not done so allready, create an OU and inside that add in both of your TS machines.

my OU is named Citrix Servers and inside that i have CTX1,CTX2,CTX3

on the group policy managemnet console you should now see the OU (Citrix OU) under your domain name.

right click the OU and click 'create and link GPO here..' or something along those lines.

this will now bring up the group policy which i am sure u are familiar with.

do you need any help setting these settings? or are you ok?

this will now only apply to any one logging onto the TS machines as they are the only things in the OU as assigned in AD.

when you have created the 'Group Policy' look for the 'security filter' in here should already be a user/group called 'Authenticated Users' remove the---you dont need it.
now 'Add' your own group..this will be a group of users which will log on to citrix. or you could apply it to '*everyone' and make the doman admins exempt. if you dont know how to do this let me know

Leon


0
 
CPAsAdminCommented:
Here is a microsoft link to lockdown a terminal server with group policy. You may not need or want all of the options but they are all there for your reference.
 
http://support.microsoft.com/kb/278295
 
0
 
ticgumsAuthor Commented:
Alright, I made my changes to AD (or at least I thought that i did) but the new settings don't seem to be taking affect.  Is there something that I am missing?

Created OU, Moved the TS Servers into the New OU, Set-up my restriction

What did I miss. Thanks.
0
 
Leon TealePenetration TesterCommented:
did you add the group or specific users into the 'security filter' bit at bottom right of the GPMC?
0
 
ticgumsAuthor Commented:
I fixed the problem...learned that you need to actually apply the GP to take affect.
0
 
Leon TealePenetration TesterCommented:
yes sorry i forgot to mention that part :P

it was the next question i would have asked tho.
make sure it is 'linked' to the OU and not 'Enforced'

major difference
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now