Solved

admin has restricted terminal desktop Server 2003

Posted on 2011-02-15
5
933 Views
Last Modified: 2013-12-04
We added a new terminal services user to a 2003 windows domain and terminal server. We use default local profiles no roaming. User has restricted access, can't right click on desktop icons, no access to c drive via my computer...which is not what we wanted for this user.  We did at one time have a restricted desktop for some users in a separate OU implemented by a GPO.  This user is not in that OU....part of testing this issue was to set this user to a domaiin and local admin on the server...no change...another existing user did not have this problem and had identical security perms and same container..  So I deleted that users local terminal server profile.  Now that user has the same problem and is an admin as well.  I tried moving the users and the citrix server into a newly created OU....gupdate on the terminal server....I am not sure where to go from here...why are my power uses getting this restricted desktop?
0
Comment
Question by:desmarler
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:gtfiji
ID: 34903094
It's possible that the terminal server has a local policy that restricts the users.  If that were the case, any users who ever had the good fortune of having a GPO relax their restrictions would still benefit from the relaxed settings even if they were moved out from under the scope of influence of that GPO.  That is, until you deleted their user profile, at which time they would be subject to the same restrictive settings that all new users experience.  Putting the server object into a new OU would do nothing at all to the users' restrictions (unless "loopback processing" happens to be turned on, in which case moving it around may or may not affect the users' experience, depending on the settings in the GPOs governing the OUs that you're moving the objects from or to).

So, to be clear. . .this is a user who can log on to a client machine and experience all of the unrestricted behavior, right?  It's only when he logs on to this terminal server that the restrictions occur?  If that's the case, run gpedit.msc on the terminal server, and look through the "User Configuration" settings to see if that's where the restrictions are coming from.

If, however,  the user is experiencing the restrictions on every desktop that he logs in to and you want to keep it that way, you'll have to turn on loopback processing on the terminal server.

0
 

Author Comment

by:desmarler
ID: 34903139
correct said users can login to another system and DO NOT have the restrictions.  Only when they login to this terminal server.  Ran Gpedit.msc on terminal server, none of the restricted  settings are configured.
0
 
LVL 2

Assisted Solution

by:gtfiji
gtfiji earned 250 total points
ID: 34903355
Fascinating.  Without a local policy, the only way I can think of that I could force the kind of behavior that you're talking about is to set up either a WMI filter or a Security filter.  That would mean a GPO linked fairly high up in your OU hierarchy (like, at the Domain level) with a filter on it such that only the terminal servers have the policy apply to them.

Have you ever used the "Resultant Set of Policy" snap-in to the MMC?  It gives you pretty much the same information that's in the GPMC's web-based reports on modeling and results at the bottom of the screen, so you could use that instead, but I think the MMC snap-in is much more intuitive.  Just log on to the server as an administrator (I hope you can find at least one user with full access!), and run MMC, then load up the Resultant Set of Policy tool.  When you launch the tool, right-click on the words Resultant Set of Policy, and say "Generate RSoP Data".  Choose "Logging Mode" (equivalent to the web-based "Group Policy Results" report in the GPMC), choose the terminal server as the machine to test, then inspect any of the user profiles stored on that machine that are experiencing the restricted behavior.  You'll have the chance to dive down through the tool and discover what settings are configured.  Right-click on any setting, and you'll discover the name of the GPO that slapped that setting on the user.

Hope that points you in the right direction.
0
 

Accepted Solution

by:
desmarler earned 0 total points
ID: 34903508
I figured it out.  Apparently the default terminal user profile had been modified with the restricted settings.  I replaced the default profile on the effected terminal server with a working profile. Deleted the restricedt users and logged on as them again and it is now working.  Thanks for your quick responses.
0
 

Author Closing Comment

by:desmarler
ID: 34936612
Replacing the default profile solved the  problem.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now