Terminal Services Organisational Unit Problem

Posted on 2008-11-19
Last Modified: 2013-11-21
Hi there,
I'm using a Windows 2003 Server as a domain controller, with active directoy.
Due to the size of the company I have been forced to install Terminal Services on the
same server.
Terminal Services works fine but I need to secure certain aspects i.e. no shut down button.
I've tried several ways and have checked out various sites.
I must be doing something very stupid.
I've attached an image with all the steps I have taken, I hope that someone can point out the error of my ways.

Fig1: I have created an OU called TS_Org_unit, with a group called TS_Group
I have also created a GPO called TS_GPO.

Fig2: I've amended the User Group Policy loopback processing mode to Replace.

Fig3: I have removed the Shut Down button for users that will be accessing TS as a test

Fig4: I've added a user the the membership of the TS_Group.

Problem is when this user logs on the shutdown button is still there.
Can anyone help ?

Question by:PaulEll
    LVL 31

    Expert Comment

    by:Toni Uranjek
    Hi PaulEll,

    GPO has to be linked to an OU with computer account in your case that is "Domain Controllers". Of course I have to suggest that domain controller is not a workstation and user should not be able to log on at all.


    LVL 1

    Author Comment

    Hi Toni,
    Sorry, I'm a bit new to this and I am afraid that I don't follow your comments - Sorry for being thick.

    The idea is that the users will access the server using terminal servers and use the server as workstation, which we have no problem with.  We are trying to lock the server down to avoid problems.

    Thanks - Paul
    LVL 31

    Expert Comment

    by:Toni Uranjek
    OK, Group Policy has almost nothing to do with Active Directory groups. If you have created GPO with computer settings, you have to link your TS_GPO to Domain Controllers OU.

    Go to Domain Controllers OU Properties, to Group Policy tab, click Add... button and select TS_GPO. Then go to command prompt and run the follwong command: "gpupdate /force"
    LVL 1

    Expert Comment

    It is not advised to run Terminal Services on Domain Controller. It may cause you big problems in future, so if you can move it to the different server.
    LVL 1

    Author Comment

    Hi there,

    Thanks for the advice, I know that I should not mix and match, but I have no choice on this site.

    Thanks for all your help all is working fine other than the changes effect everyone, I was seeking to exclude the administrator as I intend to restrict access to the control panel etc for RDP users
    I've  tried a WMI filter in the TP_GPO but it does not seem to be having an effect.
    Do you have any ideas that will let me finally resolve this issue ?

    Select * From Win32_Group where Name <> "Administrator"

    Thanks again

    LVL 31

    Accepted Solution

    You could try to change Security filtering. Do you have Group Policy Managment Console installed? If not, download and install it.

    Start GPMC, go to Group policy container, select TS_GPO, go to Delegation tab, click Advanced... button,add Domain Admins group and select the following permission "Apply Group Policy" - Deny.

    Expert Comment

    Setup two logins that are part of the Administrative group.  Do not do anything to one.  The other you will want to set security on the GP to deny read access.  This security can be found in the properties of the GP.  This account that you have denied read access to will be the one that you use to administer the TS.  


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now