Locking down a 2003 Terminal Server with a 2008 GPO

Posted on 2010-01-01
Last Modified: 2013-11-21
I am curious if anyone has any pointers or any links to a site(s) that show how to lock down a 2003 terminal server which I have running as a virtual server on a 2008 system. I have come across numerous links on how to lock down a 2003 terminal server, but nothing about which policies to use when running the server in a 2008 server environment.
Question by:MCSA2003
    LVL 31

    Expert Comment

    by:Henrik Johansson
    It doesn't really matter that it's a Windows Server 2008 domain as long as you use policy settings that is compatible with the older OS
    Some policy settings in Administrative Templates (ADM) can be relocated in 2008 structure, but you can use GPMC on a 2003/XP machine with older ADM-files

    KB about locking down TS

    Download GPMC for Windows Server 2003
    LVL 14

    Author Comment

    Thanks for the quick reply. I saw the KB article about locking down the TS. The issue I was having is that in the 2008 GPO, the settings are not in the correct place. For example, the first step is:

    [Computer Configuration\Admin Templates\System\Group Policy]

    Enable the following setting:
    User Group Policy loopback processing mode

    This setting is not available in the 2008 GPO. The link that you provided for 2003 GPMC, are you saying this needs to be installed on any XP or 2003 box? If so, how do I link it to users on the 2008 domain controller? Couls it be ran on the terminal server and configured there?
    LVL 31

    Accepted Solution

    The policy setting is there when using GPMC in 2008, but is a little bit relocated.
    The policy settings has been grouped under Policies and the path for the loopback processing setting in GPMC2008 is as below. For the most settings, just add Policies between 'Computer Configuration' and 'Administrative Templates'.

    Computer Configuration\Policies\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

    If unsure where the policy setting is located, you find all settings at the same place when looking in

    Computer Configuration\Policies\Administrative Templates\All Settings

    The GPMC tool downloadable from the link above can be installed on any XP/2003 machine that you want to use for GPO management to avoid the nead to logon to DC. It's just a management tool that works remote from any member computer in the domain.
    So, yes for your question about if GPMC can be installed on the TS, but it isn't necessary.

    ADUC and some other AD-tools can be installed from adminpak.msi located in \win2003servername\admin$\system32\adminpak.msi
    In Vista and above, the tools are part of RSAT (Remote Server Administrative Tools).
    LVL 14

    Author Closing Comment

    I installed GPMC on an XP machine and everything worked perfectly. Thanks

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
    To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will give a short introduction and overview of Backup Exec 2014 and the additional features that have been added over its predecessor Backup Exec 2012. As with Backup Exec 2012, the Backup Exec button in the upper left corner. From her…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now