[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 292
  • Last Modified:

Configure a 2003 terminal server.

I just recently setup a terminal server 2003 box and locked it according to a document from Microsoft called "Locking Down Windows Server 2003 Terminal Server Sessions"

 I  created an OU and stuck the terminal server in there. Setup a GPO so that anyone logging into this server the policy would be applied to them. My problem is with the admin account i need to be able to install software on it.

 How would i go about doing this?
0
victordr
Asked:
victordr
  • 3
  • 2
  • 2
2 Solutions
 
Michael PfisterCommented:
Set the permissions on the group policy: in GPMC, go to the Group Policy in question, select Properties, navigate to the Security tab and tick "Deny" next to "Aply Group Policy" for the Domain Admin group.
HTH
0
 
victordrAuthor Commented:
I did that and i ran a GPRESULT and it shows the policy being denied, but when i go to install adobe reader on the terminal server it gives me this message.
Capture.JPG
0
 
TasmantCommented:
is the admin account is member of domain admins group?
because if you did the action specified by mpfister, you shouldn't have this issue (if the GPO setting is an user parameter).

I think you use loppback processing mode for your server (in replace mode i think).
Where is the setting that prevent installation ?
- did you disable msi execution ?
- did you set up software restriction policy ?
- another setting ?
If the settings are in the computer configuration, anyone will be able to install a program.
You should set up the settings in the user configuration in order to prevent administrators to have these restrictions.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
victordrAuthor Commented:
I do have loopback setup in replace mode.

Under computer configuration i have Disable Windows Install enabled and set to always.
0
 
Michael PfisterCommented:
Disabling Windows Installer is not recommeded. Anyway a non-admin user is unable to install any software that tries to write to HKLM.
Some software requires Windows Installer to configure the user part at first logon.
0
 
victordrAuthor Commented:
Ok. I just going by best practices document i found from Microsoft.
0
 
TasmantCommented:
As disabling Windows installer is assigned to computer, it's the case for everyone, include admins.
You just found your issue.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now