Terminal Services Organisational Unit Problem

Hi there,
I'm using a Windows 2003 Server as a domain controller, with active directoy.
Due to the size of the company I have been forced to install Terminal Services on the
same server.
Terminal Services works fine but I need to secure certain aspects i.e. no shut down button.
I've tried several ways and have checked out various sites.
I must be doing something very stupid.
I've attached an image with all the steps I have taken, I hope that someone can point out the error of my ways.

Fig1: I have created an OU called TS_Org_unit, with a group called TS_Group
I have also created a GPO called TS_GPO.

Fig2: I've amended the User Group Policy loopback processing mode to Replace.

Fig3: I have removed the Shut Down button for users that will be accessing TS as a test

Fig4: I've added a user the the membership of the TS_Group.

Problem is when this user logs on the shutdown button is still there.
Can anyone help ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi PaulEll,

GPO has to be linked to an OU with computer account in your case that is "Domain Controllers". Of course I have to suggest that domain controller is not a workstation and user should not be able to log on at all.


PaulEllAuthor Commented:
Hi Toni,
Sorry, I'm a bit new to this and I am afraid that I don't follow your comments - Sorry for being thick.

The idea is that the users will access the server using terminal servers and use the server as workstation, which we have no problem with.  We are trying to lock the server down to avoid problems.

Thanks - Paul
Toni UranjekConsultant/TrainerCommented:
OK, Group Policy has almost nothing to do with Active Directory groups. If you have created GPO with computer settings, you have to link your TS_GPO to Domain Controllers OU.

Go to Domain Controllers OU Properties, to Group Policy tab, click Add... button and select TS_GPO. Then go to command prompt and run the follwong command: "gpupdate /force"
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

It is not advised to run Terminal Services on Domain Controller. It may cause you big problems in future, so if you can move it to the different server.
PaulEllAuthor Commented:
Hi there,

Thanks for the advice, I know that I should not mix and match, but I have no choice on this site.

Thanks for all your help all is working fine other than the changes effect everyone, I was seeking to exclude the administrator as I intend to restrict access to the control panel etc for RDP users
I've  tried a WMI filter in the TP_GPO but it does not seem to be having an effect.
Do you have any ideas that will let me finally resolve this issue ?

Select * From Win32_Group where Name <> "Administrator"

Thanks again

Toni UranjekConsultant/TrainerCommented:
You could try to change Security filtering. Do you have Group Policy Managment Console installed? If not, download and install it.

Start GPMC, go to Group policy container, select TS_GPO, go to Delegation tab, click Advanced... button,add Domain Admins group and select the following permission "Apply Group Policy" - Deny.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Setup two logins that are part of the Administrative group.  Do not do anything to one.  The other you will want to set security on the GP to deny read access.  This security can be found in the properties of the GP.  This account that you have denied read access to will be the one that you use to administer the TS.  

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.