Windows Server 2008 - Terminal Server - Desktop Lockdown GPO

I have found excelent articles on the subject but for Windows Server 2003. Does anybody know where I can find instructions on configuring a Policy for Desktop Lockdown for Windows Server 2008 Terminal Server?
LVL 5
OOsorioAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Encrypted1024Commented:
It is basically the exact same. Very few "lock down" features have changed. I think the article on W2K3 should get you what you need.
0
OOsorioAuthor Commented:
I already read the work prepared by Claudio Rodrigues, It's excelent but there are enough differences in 2008 that something else is required.
0
Encrypted1024Commented:
What do you feel is required? I can't think of any exploitable differences between 2003 and 2008. If anything 2008 comes more locked down out of the box. All the main GPO setting are basically the same. They may be worded slightly differnt but the features are all the same.
- Remove control Panel
- Remove Run command
- Remove regedit
- Remove drives from Explorer
- Remove command prompt
- Delete Profiles on exit
- Remove network settings
- Remove Start Menu items....... etc.....

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

OOsorioAuthor Commented:
Windows Server 2008 Active Directory has Builtin groups and groups within users.
I have set up a group called TS_Users within the users group and it belongs to the Remote Desktop group.
Now I need to define a policy for TS-USers in the Group Policy Management.
How do I define the Policy in Group Policy Management?
Once defined I should have access to configuring:
-Remove control panel
-Remove run command
-etc.
0
Encrypted1024Commented:
First, I think you are getting, groups, Organizational Units and Container mixed up. The default users container can not have policy attached to it. What you want to do is create an Organizational Unit and put your TS users in it using Active Directory Users and Computers. Then fire up Group Policy Management Console and create a new GPO on that new OU. Then start populating that GPO with your TS user policies.

You may also have to create an OU and put you Terminal Server in it. Then attach a GPO to it so you can assign computer based policies to it.

This has not changed between W2K3 and W2K8.
0
OOsorioAuthor Commented:
For example, I am not getting the Group Policy Tab in the Terminal servers Properties. See image....

Image-1.jpg
0
Encrypted1024Commented:
Ah, I see now. You havn't installed the Group Policy Management Console. That is why we are getting our signals crossed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Download and install this. Then everything will become clear.
0
Encrypted1024Commented:
Also, you will want to make a new OU for terminal server users. (not under the "Users" container) and put your TS users in there.
0
OOsorioAuthor Commented:
The link above is for Windows Server 2003. Are you sure it works with 2008?

2008 has its own GP Management Console and this console does not show the Group Policy Tab in the Properties window.
TS2.jpg
0
Encrypted1024Commented:
No. The link I sent is not for 2008. It is for 2003. The picture you posted was of 2003. I was suggesting you install that GPMC on your 2003 server so that you have the same tools available in 2003 and 2008. Then you will see that they are really almost identicle.

Using the Group Policy tab in W2K3 has not been standardly used for 7 yesrs. GPMC is the standard managemnet tool and likely all instructions will be using this tool.
0
OOsorioAuthor Commented:
I posted the picture for two reasons. 1 - In 2008 I don't get the group policy tab as shown in the picture and 2 - There are no instructions for 2008.
0
Encrypted1024Commented:
Oh, okay. Do the instructions you have talk about a group policy tab? They are likely outdated instructions then. No worries, the big things you need from that document are just the Group Policy settings. The instructions don't really matter.

I guess I should ask, do you have any experience with Group Policy? Specifically GPMC? If not, maybe we should forget about the TS and concentrate on how to use the GPMC to administer GPOs in W2K3/W2K8.

0
OOsorioAuthor Commented:
Very little experience that is why I was looking for Desktop Lockdown instructions for Win2008 Terminal Server. Appreciate the help.
0
Encrypted1024Commented:
Okay. Well in 2004 Microsoft release the GPMC and it quickly became the standard Group Policy management tool. It was so popular that MS included only the GPMC in W2K8 and newer. Basically instead of using Active Directory Users and Computers for GP, you open a separate tool. So you set up your OU structure in AD and then open GPMC to adminiter policies.

Once you get used to the new interface, you will see that the actuall editing of GPO's is nearly identicle. I suggest firing up the GPMC on either 2003 or 2008 and play around with it a bit. (be careful if you are in a production environment). Once you feel comfortable with the interface let me know and we will look at creating your TS policy.
0
OOsorioAuthor Commented:
Ok. Comfortable. Let's have a look at creating a TS Policy.
0
Encrypted1024Commented:
Okay good. So to create a new GPO (Group Policy Object) you just right click on the OU (organizational Unit) where you want your policy to apply and select "Create new GPO and Link it here". Remember that policies are devided into two parts, computer and user. The computer settings apply to OU's with computers in them and the User policies apply to OUs with users in them. So create one GPO on your Terminal Server Computer OU called "TS Computer Lockdown" and create a new GPO un the OU that contains your TS users and call it "TS User Lockdown".

Now all you have to do is right click on your newly created GPO and select edit. You should now see the familiar GPO edit screen from 2003. Go through the documentation you have and add all of the user settings to the User GPO and do the same for the computer GPO.

Once you have some policies defined that you want to test, log into your TS as an Administrator and type "gpupdate /force" at he command prompt. That will force a group policy update. You may have to log out or reboot the server for these changes to take effect. Then log into the TS as one of your TS users and see if the policies were effective.

Tweak on it for a bit and if you run into trouble let me know.

0
OOsorioAuthor Commented:
We don't seem to be looking at the same thing. I followed your instructions from paragraph one above and still do not see the familiar GPO edit screen as described in paragraph two.
0
Encrypted1024Commented:
Really? If you right click on a GPO and select edit it doesn't open up the group policy editor? It has been a while since I used anything else but I remember it being exactly the same. Even the local policy editor gpedit.msc is the same. All the way back to W2k or even earlier.
0
Encrypted1024Commented:
Heres a pic.
GPO.jpg
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Encrypted1024Commented:
Right click on GPO and select edit. Group Policy Editor as seen on right pops up.
0
OOsorioAuthor Commented:
I got it. A picture speaks ...........................
Thanks,
0
OOsorioAuthor Commented:
A pictorial description from the beginning would have been very helpful. I do appreciate the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.