Solved

Configure a 2003 terminal server.

Posted on 2010-11-10
7
284 Views
Last Modified: 2012-05-10
I just recently setup a terminal server 2003 box and locked it according to a document from Microsoft called "Locking Down Windows Server 2003 Terminal Server Sessions"

 I  created an OU and stuck the terminal server in there. Setup a GPO so that anyone logging into this server the policy would be applied to them. My problem is with the admin account i need to be able to install software on it.

 How would i go about doing this?
0
Comment
Question by:victordr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34109574
Set the permissions on the group policy: in GPMC, go to the Group Policy in question, select Properties, navigate to the Security tab and tick "Deny" next to "Aply Group Policy" for the Domain Admin group.
HTH
0
 

Author Comment

by:victordr
ID: 34110970
I did that and i ran a GPRESULT and it shows the policy being denied, but when i go to install adobe reader on the terminal server it gives me this message.
Capture.JPG
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 34111023
is the admin account is member of domain admins group?
because if you did the action specified by mpfister, you shouldn't have this issue (if the GPO setting is an user parameter).

I think you use loppback processing mode for your server (in replace mode i think).
Where is the setting that prevent installation ?
- did you disable msi execution ?
- did you set up software restriction policy ?
- another setting ?
If the settings are in the computer configuration, anyone will be able to install a program.
You should set up the settings in the user configuration in order to prevent administrators to have these restrictions.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:victordr
ID: 34111453
I do have loopback setup in replace mode.

Under computer configuration i have Disable Windows Install enabled and set to always.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 34111813
Disabling Windows Installer is not recommeded. Anyway a non-admin user is unable to install any software that tries to write to HKLM.
Some software requires Windows Installer to configure the user part at first logon.
0
 

Author Comment

by:victordr
ID: 34111875
Ok. I just going by best practices document i found from Microsoft.
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 500 total points
ID: 34112142
As disabling Windows installer is assigned to computer, it's the case for everyone, include admins.
You just found your issue.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question