Solved

admin has restricted terminal desktop Server 2003

Posted on 2011-02-15
5
943 Views
Last Modified: 2013-12-04
We added a new terminal services user to a 2003 windows domain and terminal server. We use default local profiles no roaming. User has restricted access, can't right click on desktop icons, no access to c drive via my computer...which is not what we wanted for this user.  We did at one time have a restricted desktop for some users in a separate OU implemented by a GPO.  This user is not in that OU....part of testing this issue was to set this user to a domaiin and local admin on the server...no change...another existing user did not have this problem and had identical security perms and same container..  So I deleted that users local terminal server profile.  Now that user has the same problem and is an admin as well.  I tried moving the users and the citrix server into a newly created OU....gupdate on the terminal server....I am not sure where to go from here...why are my power uses getting this restricted desktop?
0
Comment
Question by:desmarler
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903094
It's possible that the terminal server has a local policy that restricts the users.  If that were the case, any users who ever had the good fortune of having a GPO relax their restrictions would still benefit from the relaxed settings even if they were moved out from under the scope of influence of that GPO.  That is, until you deleted their user profile, at which time they would be subject to the same restrictive settings that all new users experience.  Putting the server object into a new OU would do nothing at all to the users' restrictions (unless "loopback processing" happens to be turned on, in which case moving it around may or may not affect the users' experience, depending on the settings in the GPOs governing the OUs that you're moving the objects from or to).

So, to be clear. . .this is a user who can log on to a client machine and experience all of the unrestricted behavior, right?  It's only when he logs on to this terminal server that the restrictions occur?  If that's the case, run gpedit.msc on the terminal server, and look through the "User Configuration" settings to see if that's where the restrictions are coming from.

If, however,  the user is experiencing the restrictions on every desktop that he logs in to and you want to keep it that way, you'll have to turn on loopback processing on the terminal server.

0
 

Author Comment

by:desmarler
ID: 34903139
correct said users can login to another system and DO NOT have the restrictions.  Only when they login to this terminal server.  Ran Gpedit.msc on terminal server, none of the restricted  settings are configured.
0
 
LVL 2

Assisted Solution

by:gtfiji
gtfiji earned 250 total points
ID: 34903355
Fascinating.  Without a local policy, the only way I can think of that I could force the kind of behavior that you're talking about is to set up either a WMI filter or a Security filter.  That would mean a GPO linked fairly high up in your OU hierarchy (like, at the Domain level) with a filter on it such that only the terminal servers have the policy apply to them.

Have you ever used the "Resultant Set of Policy" snap-in to the MMC?  It gives you pretty much the same information that's in the GPMC's web-based reports on modeling and results at the bottom of the screen, so you could use that instead, but I think the MMC snap-in is much more intuitive.  Just log on to the server as an administrator (I hope you can find at least one user with full access!), and run MMC, then load up the Resultant Set of Policy tool.  When you launch the tool, right-click on the words Resultant Set of Policy, and say "Generate RSoP Data".  Choose "Logging Mode" (equivalent to the web-based "Group Policy Results" report in the GPMC), choose the terminal server as the machine to test, then inspect any of the user profiles stored on that machine that are experiencing the restricted behavior.  You'll have the chance to dive down through the tool and discover what settings are configured.  Right-click on any setting, and you'll discover the name of the GPO that slapped that setting on the user.

Hope that points you in the right direction.
0
 

Accepted Solution

by:
desmarler earned 0 total points
ID: 34903508
I figured it out.  Apparently the default terminal user profile had been modified with the restricted settings.  I replaced the default profile on the effected terminal server with a working profile. Deleted the restricedt users and logged on as them again and it is now working.  Thanks for your quick responses.
0
 

Author Closing Comment

by:desmarler
ID: 34936612
Replacing the default profile solved the  problem.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Event ID: 1008 / Source: Microsoft-Windows-Perflib 2 194
Sweet32 Vulnerability in Microsoft IIS7.5 6 946
2003 Server DNS/FS errors 6 65
MS Endpoint Protection 2 44
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question