Terminal Services Organisational Unit Problem

Hi there,
I'm using a Windows 2003 Server as a domain controller, with active directoy.
Due to the size of the company I have been forced to install Terminal Services on the
same server.
Terminal Services works fine but I need to secure certain aspects i.e. no shut down button.
I've tried several ways and have checked out various sites.
I must be doing something very stupid.
I've attached an image with all the steps I have taken, I hope that someone can point out the error of my ways.

Fig1: I have created an OU called TS_Org_unit, with a group called TS_Group
I have also created a GPO called TS_GPO.

Fig2: I've amended the User Group Policy loopback processing mode to Replace.

Fig3: I have removed the Shut Down button for users that will be accessing TS as a test

Fig4: I've added a user the the membership of the TS_Group.

Problem is when this user logs on the shutdown button is still there.
Can anyone help ?

Who is Participating?
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
You could try to change Security filtering. Do you have Group Policy Managment Console installed? If not, download and install it.

Start GPMC, go to Group policy container, select TS_GPO, go to Delegation tab, click Advanced... button,add Domain Admins group and select the following permission "Apply Group Policy" - Deny.
Toni UranjekConsultant/TrainerCommented:
Hi PaulEll,

GPO has to be linked to an OU with computer account in your case that is "Domain Controllers". Of course I have to suggest that domain controller is not a workstation and user should not be able to log on at all.


PaulEllAuthor Commented:
Hi Toni,
Sorry, I'm a bit new to this and I am afraid that I don't follow your comments - Sorry for being thick.

The idea is that the users will access the server using terminal servers and use the server as workstation, which we have no problem with.  We are trying to lock the server down to avoid problems.

Thanks - Paul
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Toni UranjekConsultant/TrainerCommented:
OK, Group Policy has almost nothing to do with Active Directory groups. If you have created GPO with computer settings, you have to link your TS_GPO to Domain Controllers OU.

Go to Domain Controllers OU Properties, to Group Policy tab, click Add... button and select TS_GPO. Then go to command prompt and run the follwong command: "gpupdate /force"
It is not advised to run Terminal Services on Domain Controller. It may cause you big problems in future, so if you can move it to the different server.
PaulEllAuthor Commented:
Hi there,

Thanks for the advice, I know that I should not mix and match, but I have no choice on this site.

Thanks for all your help all is working fine other than the changes effect everyone, I was seeking to exclude the administrator as I intend to restrict access to the control panel etc for RDP users
I've  tried a WMI filter in the TP_GPO but it does not seem to be having an effect.
Do you have any ideas that will let me finally resolve this issue ?

Select * From Win32_Group where Name <> "Administrator"

Thanks again

Setup two logins that are part of the Administrative group.  Do not do anything to one.  The other you will want to set security on the GP to deny read access.  This security can be found in the properties of the GP.  This account that you have denied read access to will be the one that you use to administer the TS.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.