Solved

Configure a 2003 terminal server.

Posted on 2010-11-10
7
283 Views
Last Modified: 2012-05-10
I just recently setup a terminal server 2003 box and locked it according to a document from Microsoft called "Locking Down Windows Server 2003 Terminal Server Sessions"

 I  created an OU and stuck the terminal server in there. Setup a GPO so that anyone logging into this server the policy would be applied to them. My problem is with the admin account i need to be able to install software on it.

 How would i go about doing this?
0
Comment
Question by:victordr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34109574
Set the permissions on the group policy: in GPMC, go to the Group Policy in question, select Properties, navigate to the Security tab and tick "Deny" next to "Aply Group Policy" for the Domain Admin group.
HTH
0
 

Author Comment

by:victordr
ID: 34110970
I did that and i ran a GPRESULT and it shows the policy being denied, but when i go to install adobe reader on the terminal server it gives me this message.
Capture.JPG
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 34111023
is the admin account is member of domain admins group?
because if you did the action specified by mpfister, you shouldn't have this issue (if the GPO setting is an user parameter).

I think you use loppback processing mode for your server (in replace mode i think).
Where is the setting that prevent installation ?
- did you disable msi execution ?
- did you set up software restriction policy ?
- another setting ?
If the settings are in the computer configuration, anyone will be able to install a program.
You should set up the settings in the user configuration in order to prevent administrators to have these restrictions.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:victordr
ID: 34111453
I do have loopback setup in replace mode.

Under computer configuration i have Disable Windows Install enabled and set to always.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34111813
Disabling Windows Installer is not recommeded. Anyway a non-admin user is unable to install any software that tries to write to HKLM.
Some software requires Windows Installer to configure the user part at first logon.
0
 

Author Comment

by:victordr
ID: 34111875
Ok. I just going by best practices document i found from Microsoft.
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 500 total points
ID: 34112142
As disabling Windows installer is assigned to computer, it's the case for everyone, include admins.
You just found your issue.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question