I have a network with three servers, as follows:
1x Windows SBS 2003, primary domain controller
2x Windows 2008 Servers, domian controllers and terminal services servers
The SBS 2003 box should only accept terminal services sessions from administrators, whilst each of the two 2008 boxes shoud accept TS connections from a different group of users. (That is a different group of users for each 2008 box.)
Initially I went into computer/properties on each 2008 box and tried to set the users who could log into terminal services from there, but I noticed that changing this on one, changed it on both.
I then tried setting the remote access permissions to administrators only and created a group policy object for each 2008 box, and in each object setting the "allow logon through terminal services" to the appropriate group. I linked both of these policy objects to the domain controllers OU and then filtered each one to the appropriate computer. This did not appear to allow anyone but administrators in.
How do I acheive what I need?