Configure a 2003 terminal server.

I just recently setup a terminal server 2003 box and locked it according to a document from Microsoft called "Locking Down Windows Server 2003 Terminal Server Sessions"

 I  created an OU and stuck the terminal server in there. Setup a GPO so that anyone logging into this server the policy would be applied to them. My problem is with the admin account i need to be able to install software on it.

 How would i go about doing this?
victordrAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
TasmantConnect With a Mentor Commented:
is the admin account is member of domain admins group?
because if you did the action specified by mpfister, you shouldn't have this issue (if the GPO setting is an user parameter).

I think you use loppback processing mode for your server (in replace mode i think).
Where is the setting that prevent installation ?
- did you disable msi execution ?
- did you set up software restriction policy ?
- another setting ?
If the settings are in the computer configuration, anyone will be able to install a program.
You should set up the settings in the user configuration in order to prevent administrators to have these restrictions.
0
 
Michael PfisterCommented:
Set the permissions on the group policy: in GPMC, go to the Group Policy in question, select Properties, navigate to the Security tab and tick "Deny" next to "Aply Group Policy" for the Domain Admin group.
HTH
0
 
victordrAuthor Commented:
I did that and i ran a GPRESULT and it shows the policy being denied, but when i go to install adobe reader on the terminal server it gives me this message.
Capture.JPG
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
victordrAuthor Commented:
I do have loopback setup in replace mode.

Under computer configuration i have Disable Windows Install enabled and set to always.
0
 
Michael PfisterCommented:
Disabling Windows Installer is not recommeded. Anyway a non-admin user is unable to install any software that tries to write to HKLM.
Some software requires Windows Installer to configure the user part at first logon.
0
 
victordrAuthor Commented:
Ok. I just going by best practices document i found from Microsoft.
0
 
TasmantConnect With a Mentor Commented:
As disabling Windows installer is assigned to computer, it's the case for everyone, include admins.
You just found your issue.
0
All Courses

From novice to tech pro — start learning today.