Terminal Services Organisational Unit Problem

PaulEll used Ask the Experts™
Hi there,
I'm using a Windows 2003 Server as a domain controller, with active directoy.
Due to the size of the company I have been forced to install Terminal Services on the
same server.
Terminal Services works fine but I need to secure certain aspects i.e. no shut down button.
I've tried several ways and have checked out various sites.
I must be doing something very stupid.
I've attached an image with all the steps I have taken, I hope that someone can point out the error of my ways.

Fig1: I have created an OU called TS_Org_unit, with a group called TS_Group
I have also created a GPO called TS_GPO.

Fig2: I've amended the User Group Policy loopback processing mode to Replace.

Fig3: I have removed the Shut Down button for users that will be accessing TS as a test

Fig4: I've added a user the the membership of the TS_Group.

Problem is when this user logs on the shutdown button is still there.
Can anyone help ?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Toni UranjekConsultant/Trainer

Hi PaulEll,

GPO has to be linked to an OU with computer account in your case that is "Domain Controllers". Of course I have to suggest that domain controller is not a workstation and user should not be able to log on at all.




Hi Toni,
Sorry, I'm a bit new to this and I am afraid that I don't follow your comments - Sorry for being thick.

The idea is that the users will access the server using terminal servers and use the server as workstation, which we have no problem with.  We are trying to lock the server down to avoid problems.

Thanks - Paul
Toni UranjekConsultant/Trainer

OK, Group Policy has almost nothing to do with Active Directory groups. If you have created GPO with computer settings, you have to link your TS_GPO to Domain Controllers OU.

Go to Domain Controllers OU Properties, to Group Policy tab, click Add... button and select TS_GPO. Then go to command prompt and run the follwong command: "gpupdate /force"
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

It is not advised to run Terminal Services on Domain Controller. It may cause you big problems in future, so if you can move it to the different server.


Hi there,

Thanks for the advice, I know that I should not mix and match, but I have no choice on this site.

Thanks for all your help all is working fine other than the changes effect everyone, I was seeking to exclude the administrator as I intend to restrict access to the control panel etc for RDP users
I've  tried a WMI filter in the TP_GPO but it does not seem to be having an effect.
Do you have any ideas that will let me finally resolve this issue ?

Select * From Win32_Group where Name <> "Administrator"

Thanks again

You could try to change Security filtering. Do you have Group Policy Managment Console installed? If not, download and install it.

Start GPMC, go to Group policy container, select TS_GPO, go to Delegation tab, click Advanced... button,add Domain Admins group and select the following permission "Apply Group Policy" - Deny.
Setup two logins that are part of the Administrative group.  Do not do anything to one.  The other you will want to set security on the GP to deny read access.  This security can be found in the properties of the GP.  This account that you have denied read access to will be the one that you use to administer the TS.  

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial