Restrict remote Desktop Users (Terminal Services)

I realized today that after securing the GPO for our Terminal Servers to the likes of removing network neighborhood, removing right clicking on the taskbar, no run command, removing access to regedit/control panel/admin tools that those changes applied to the local user as well.

Whats the best way to secure terminal servers from the remote desktop users stance?

(just had a thought) Could I set the Security Filtering in the GPO's Scope to "remote desktop users"?  Would that cause the GPO to not affect local users (i.e. VNC, physical console)?
LVL 14
Ben HartAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ben HartConnect With a Mentor Author Commented:
I figured it out.. You must set the target security group (the ones whom you wan the gpo to affect) with read and apply group policy permissions.  then you can add other security groups but check Deny apply group policy that way members of that group can login but they will not be affected by the GPO's changes.

woot
0
 
ChristophermageeCommented:
You can block terminal services from the user prroperties in Active directory terminal services profile tab however i think you would need to tick it for everyone.

Or there is this   http://technet.microsoft.com/en-us/library/cc737453(WS.10).aspx

Hope this helps
0
 
Ben HartAuthor Commented:
Close, but these are actually Terminal Servers.. used by my users.  I'm just wanting to restrict what trouble they can get into once logged in.    but specifically I guess I'm wondering about setting the filtering on the GPO to Remote Desktop Users versus Authenticated Users.
0
All Courses

From novice to tech pro — start learning today.