[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Terminal Services Organisational Unit Problem

Posted on 2008-11-19
Medium Priority
Last Modified: 2013-11-21
Hi there,
I'm using a Windows 2003 Server as a domain controller, with active directoy.
Due to the size of the company I have been forced to install Terminal Services on the
same server.
Terminal Services works fine but I need to secure certain aspects i.e. no shut down button.
I've tried several ways and have checked out various sites.
I must be doing something very stupid.
I've attached an image with all the steps I have taken, I hope that someone can point out the error of my ways.

Fig1: I have created an OU called TS_Org_unit, with a group called TS_Group
I have also created a GPO called TS_GPO.

Fig2: I've amended the User Group Policy loopback processing mode to Replace.

Fig3: I have removed the Shut Down button for users that will be accessing TS as a test

Fig4: I've added a user the the membership of the TS_Group.

Problem is when this user logs on the shutdown button is still there.
Can anyone help ?

Question by:PaulEll
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22992535
Hi PaulEll,

GPO has to be linked to an OU with computer account in your case that is "Domain Controllers". Of course I have to suggest that domain controller is not a workstation and user should not be able to log on at all.



Author Comment

ID: 22992605
Hi Toni,
Sorry, I'm a bit new to this and I am afraid that I don't follow your comments - Sorry for being thick.

The idea is that the users will access the server using terminal servers and use the server as workstation, which we have no problem with.  We are trying to lock the server down to avoid problems.

Thanks - Paul
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22992670
OK, Group Policy has almost nothing to do with Active Directory groups. If you have created GPO with computer settings, you have to link your TS_GPO to Domain Controllers OU.

Go to Domain Controllers OU Properties, to Group Policy tab, click Add... button and select TS_GPO. Then go to command prompt and run the follwong command: "gpupdate /force"
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 22992870
It is not advised to run Terminal Services on Domain Controller. It may cause you big problems in future, so if you can move it to the different server.

Author Comment

ID: 22993778
Hi there,

Thanks for the advice, I know that I should not mix and match, but I have no choice on this site.

Thanks for all your help all is working fine other than the changes effect everyone, I was seeking to exclude the administrator as I intend to restrict access to the control panel etc for RDP users
I've  tried a WMI filter in the TP_GPO but it does not seem to be having an effect.
Do you have any ideas that will let me finally resolve this issue ?

Select * From Win32_Group where Name <> "Administrator"

Thanks again

LVL 31

Accepted Solution

Toni Uranjek earned 2000 total points
ID: 22993882
You could try to change Security filtering. Do you have Group Policy Managment Console installed? If not, download and install it.

Start GPMC, go to Group policy container, select TS_GPO, go to Delegation tab, click Advanced... button,add Domain Admins group and select the following permission "Apply Group Policy" - Deny.

Expert Comment

ID: 22993909
Setup two logins that are part of the Administrative group.  Do not do anything to one.  The other you will want to set security on the GP to deny read access.  This security can be found in the properties of the GP.  This account that you have denied read access to will be the one that you use to administer the TS.  


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question