?
Solved

Windows Server 2008 - Terminal Server - Desktop Lockdown GPO

Posted on 2010-03-29
22
Medium Priority
?
1,143 Views
Last Modified: 2012-05-09
I have found excelent articles on the subject but for Windows Server 2003. Does anybody know where I can find instructions on configuring a Policy for Desktop Lockdown for Windows Server 2008 Terminal Server?
0
Comment
Question by:OOsorio
  • 12
  • 10
22 Comments
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29039307
It is basically the exact same. Very few "lock down" features have changed. I think the article on W2K3 should get you what you need.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29040580
I already read the work prepared by Claudio Rodrigues, It's excelent but there are enough differences in 2008 that something else is required.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29046513
What do you feel is required? I can't think of any exploitable differences between 2003 and 2008. If anything 2008 comes more locked down out of the box. All the main GPO setting are basically the same. They may be worded slightly differnt but the features are all the same.
- Remove control Panel
- Remove Run command
- Remove regedit
- Remove drives from Explorer
- Remove command prompt
- Delete Profiles on exit
- Remove network settings
- Remove Start Menu items....... etc.....

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 5

Author Comment

by:OOsorio
ID: 29097385
Windows Server 2008 Active Directory has Builtin groups and groups within users.
I have set up a group called TS_Users within the users group and it belongs to the Remote Desktop group.
Now I need to define a policy for TS-USers in the Group Policy Management.
How do I define the Policy in Group Policy Management?
Once defined I should have access to configuring:
-Remove control panel
-Remove run command
-etc.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29102225
First, I think you are getting, groups, Organizational Units and Container mixed up. The default users container can not have policy attached to it. What you want to do is create an Organizational Unit and put your TS users in it using Active Directory Users and Computers. Then fire up Group Policy Management Console and create a new GPO on that new OU. Then start populating that GPO with your TS user policies.

You may also have to create an OU and put you Terminal Server in it. Then attach a GPO to it so you can assign computer based policies to it.

This has not changed between W2K3 and W2K8.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29128141
For example, I am not getting the Group Policy Tab in the Terminal servers Properties. See image....

Image-1.jpg
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29132797
Ah, I see now. You havn't installed the Group Policy Management Console. That is why we are getting our signals crossed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Download and install this. Then everything will become clear.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29133077
Also, you will want to make a new OU for terminal server users. (not under the "Users" container) and put your TS users in there.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29222560
The link above is for Windows Server 2003. Are you sure it works with 2008?

2008 has its own GP Management Console and this console does not show the Group Policy Tab in the Properties window.
TS2.jpg
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29228179
No. The link I sent is not for 2008. It is for 2003. The picture you posted was of 2003. I was suggesting you install that GPMC on your 2003 server so that you have the same tools available in 2003 and 2008. Then you will see that they are really almost identicle.

Using the Group Policy tab in W2K3 has not been standardly used for 7 yesrs. GPMC is the standard managemnet tool and likely all instructions will be using this tool.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29232197
I posted the picture for two reasons. 1 - In 2008 I don't get the group policy tab as shown in the picture and 2 - There are no instructions for 2008.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29247624
Oh, okay. Do the instructions you have talk about a group policy tab? They are likely outdated instructions then. No worries, the big things you need from that document are just the Group Policy settings. The instructions don't really matter.

I guess I should ask, do you have any experience with Group Policy? Specifically GPMC? If not, maybe we should forget about the TS and concentrate on how to use the GPMC to administer GPOs in W2K3/W2K8.

0
 
LVL 5

Author Comment

by:OOsorio
ID: 29248757
Very little experience that is why I was looking for Desktop Lockdown instructions for Win2008 Terminal Server. Appreciate the help.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29259414
Okay. Well in 2004 Microsoft release the GPMC and it quickly became the standard Group Policy management tool. It was so popular that MS included only the GPMC in W2K8 and newer. Basically instead of using Active Directory Users and Computers for GP, you open a separate tool. So you set up your OU structure in AD and then open GPMC to adminiter policies.

Once you get used to the new interface, you will see that the actuall editing of GPO's is nearly identicle. I suggest firing up the GPMC on either 2003 or 2008 and play around with it a bit. (be careful if you are in a production environment). Once you feel comfortable with the interface let me know and we will look at creating your TS policy.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29277375
Ok. Comfortable. Let's have a look at creating a TS Policy.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29284360
Okay good. So to create a new GPO (Group Policy Object) you just right click on the OU (organizational Unit) where you want your policy to apply and select "Create new GPO and Link it here". Remember that policies are devided into two parts, computer and user. The computer settings apply to OU's with computers in them and the User policies apply to OUs with users in them. So create one GPO on your Terminal Server Computer OU called "TS Computer Lockdown" and create a new GPO un the OU that contains your TS users and call it "TS User Lockdown".

Now all you have to do is right click on your newly created GPO and select edit. You should now see the familiar GPO edit screen from 2003. Go through the documentation you have and add all of the user settings to the User GPO and do the same for the computer GPO.

Once you have some policies defined that you want to test, log into your TS as an Administrator and type "gpupdate /force" at he command prompt. That will force a group policy update. You may have to log out or reboot the server for these changes to take effect. Then log into the TS as one of your TS users and see if the policies were effective.

Tweak on it for a bit and if you run into trouble let me know.

0
 
LVL 5

Author Comment

by:OOsorio
ID: 29470600
We don't seem to be looking at the same thing. I followed your instructions from paragraph one above and still do not see the familiar GPO edit screen as described in paragraph two.
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29473802
Really? If you right click on a GPO and select edit it doesn't open up the group policy editor? It has been a while since I used anything else but I remember it being exactly the same. Even the local policy editor gpedit.msc is the same. All the way back to W2k or even earlier.
0
 
LVL 10

Accepted Solution

by:
Encrypted1024 earned 750 total points
ID: 29473850
Heres a pic.
GPO.jpg
0
 
LVL 10

Expert Comment

by:Encrypted1024
ID: 29473944
Right click on GPO and select edit. Group Policy Editor as seen on right pops up.
0
 
LVL 5

Author Comment

by:OOsorio
ID: 29475457
I got it. A picture speaks ...........................
Thanks,
0
 
LVL 5

Author Closing Comment

by:OOsorio
ID: 31708694
A pictorial description from the beginning would have been very helpful. I do appreciate the help.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question