Solved

Creating desktop restrictions only on the terminal server

Posted on 2008-10-14
12
309 Views
Last Modified: 2013-11-21
At the company that I work for, we have recently opened up a new facility.  All the files that are used are still stored at the old building.  We have implemented a Terminal Server solution (2X Application Server) to make the bandwidth going back and fourth across the pipe to be as small as possible for speed.  We want to create a desktop that some of your folks can open but want to have restrictions on what they can do.  The main thing would be not to shut down the server when they go to log off.  Is there any way that this can be done on the server and not through AD?  We dont want the functionality of there PC to be any different then they currently are, just when they are using the published desktop, to be limited.  Thanks for the help
0
Comment
Question by:ticgums
  • 6
  • 5
12 Comments
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22711028
hello there,

i know you said that you do not want to do it via Active Directory but it is realy easy and simpler to use..

how many machines do you have for load balancing for your TS? or is it just the one?

if that is the case why not log onto the server and change some settings in 'gpedit.msc' that way it will create a local policy for any one with a desktop on that machine..

i currently use citrix and with this i use AD to assign policies and have a citrix users group.
if you would like any help on setting up a policy to do this let me know
0
 

Author Comment

by:ticgums
ID: 22711061
We have 2 for load balancing.  I don't want to use AD because i only want the setting to be pertinent while using the TS.  Unless there is a way to do this that the only thing affected would be the TS desktop.

I'll probably take a look at gpedit.msc

Thanks
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22711098
GPEDIT.msc is just group policy for the local machinie...this is my mistake if i was getting you confused i meant more of using the group policy on your domain controller to apply a policy to the TS machines. and or the users (in a group) that use them..

but for what you are wantin then GEDIT.msc should do the trick ;)

any problems and ill help you out
0
 

Author Comment

by:ticgums
ID: 22711151
Well, I could just configure the TS Servers with the GPEDIT.msc and that way it would only affect the users when they log on or off the TS Server Desktop.  How does it work for Admin's?  Are the credentials for Domain admins affected the same way?
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22711213
unfortunatly yes it will affect everyone...as it is applying it to the machinie which is why i also suggested the group policy on your DC....as this way you can assign it to whom ever you wish...im sure you are familiar with group policy...it is exactly the same as GPEDIT only applied to users and not machines, so to speak.

(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D
0
 

Author Comment

by:ticgums
ID: 22711250
Any help on that would be appreciated

Thanks

"(yes you can configure it so that policy willl only effect the users when they log on to the TS desktop and not when they are logged on to thier normal machines on the network) :D"
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 6

Accepted Solution

by:
Leon Teale earned 250 total points
ID: 22711376
ok then first thing's first...

on your domain controller..open up 'Group Policy Managment' and open up AD
just in the event you have not done so allready, create an OU and inside that add in both of your TS machines.

my OU is named Citrix Servers and inside that i have CTX1,CTX2,CTX3

on the group policy managemnet console you should now see the OU (Citrix OU) under your domain name.

right click the OU and click 'create and link GPO here..' or something along those lines.

this will now bring up the group policy which i am sure u are familiar with.

do you need any help setting these settings? or are you ok?

this will now only apply to any one logging onto the TS machines as they are the only things in the OU as assigned in AD.

when you have created the 'Group Policy' look for the 'security filter' in here should already be a user/group called 'Authenticated Users' remove the---you dont need it.
now 'Add' your own group..this will be a group of users which will log on to citrix. or you could apply it to '*everyone' and make the doman admins exempt. if you dont know how to do this let me know

Leon


0
 
LVL 2

Expert Comment

by:CPAsAdmin
ID: 22711393
Here is a microsoft link to lockdown a terminal server with group policy. You may not need or want all of the options but they are all there for your reference.
 
http://support.microsoft.com/kb/278295
 
0
 

Author Comment

by:ticgums
ID: 22712175
Alright, I made my changes to AD (or at least I thought that i did) but the new settings don't seem to be taking affect.  Is there something that I am missing?

Created OU, Moved the TS Servers into the New OU, Set-up my restriction

What did I miss. Thanks.
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22712204
did you add the group or specific users into the 'security filter' bit at bottom right of the GPMC?
0
 

Author Comment

by:ticgums
ID: 22713089
I fixed the problem...learned that you need to actually apply the GP to take affect.
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22715011
yes sorry i forgot to mention that part :P

it was the next question i would have asked tho.
make sure it is 'linked' to the OU and not 'Enforced'

major difference
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now