Solved

Terminal server access restriction

Posted on 2012-03-28
15
224 Views
Last Modified: 2012-06-17
I need to grant terminal server access to a specific group of users with limited rights(only shutdown, log off and Restart) through Group policy.

 Please advice
0
Comment
Question by:psanjoy
  • 8
  • 7
15 Comments
 
LVL 25

Expert Comment

by:Tony1044
ID: 37775508
You need to create a group policy to apply to your terminal servers.

Ideally, these should be in their own OU.

Apply the restrictive group policy to your users, or preferrably a group they are members of, and turn on loopback group policy processing.

Then knock yourself out with the policies - tweak them down as tight as you want, but bear in mind if you go too far you may prevent them being able to do anything at all.
0
 

Author Comment

by:psanjoy
ID: 37775909
Thanks for your support.

I have created a GP object and linked to servers OU. How can I link same to a specific group of users?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37775936
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37775939
Oh remember there'll be a time delay before the policies take affect and some (machine based) may require a restart of the servers whilst others (user based) may require a logoff and logon to take affect.

Worth bearing in mind if you have a policy or two that don't appear to kick in.

Also - you may want to be careful. When you say you've applied the policy to the servers OU if this is all servers and not just terminal servers, it'll apply across them all and you may get unintended results.
0
 

Author Comment

by:psanjoy
ID: 37781199
Thanks for your support.

I have created a GP object and linked to servers OU and applied to a specific group. I added effective user to the Remote Desktop users group of linked servers  too.

But still the policy doesnt work properly. pls help me
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37781207
Which settings did you apply?

If they are computer settings, remember to enable loopback policy processing in the group policy.
0
 

Author Comment

by:psanjoy
ID: 37781339
User configuration-> Admin Templates-> Start menu and Taskbar then provided restricions.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 25

Expert Comment

by:Tony1044
ID: 37781351
Not being overwritten by other policies?

On one of the servers, can you log in as one of the (non) affected users and run rsop.msc ?

This will then tell if the policies are at least being deployed.
0
 

Author Comment

by:psanjoy
ID: 37850743
How can I provide SHUTDOWN permissions to Remote desktop users..?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37850772
Group policy.

But it's there by default and the following removes it:

Computer Configuration > Administration Templates > System > Remove boot/ Shutdown/ logon / logoff status

Respecfully though, that's a separate issue to the one you originally raised and really should be a new question.
0
 

Author Comment

by:psanjoy
ID: 37850856
First of all, I am really sorry if I have confused you.

My exact requirement is that we have few site offices with ISA servers. I just need to provide 'Shutdown privilege only' to Site -IT Administrators only these ISA servers.

Therefore, I have created separate OU on Active directory and added those ISA server into that.

Please help me to create a GP with only SHUTDOWN rights on Remote Desktop access to these servers.
0
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 37850869
Actually the apology is mine - I was confusing your question with a very similar one (title) that I'd been answering!

Ah I think I see what you require but correct me if I'm wrong:

Remove all privileges but allow the users in question to shut down the ISA servers?

If this is the case, you'd need to basically create an OU (I see you've done that), apply a group policy that will apply the restrictions you require and if necessary, block inheritance to prevent these changes being overwritten.

Have you tried your setting already? What do the users see (or not see)?
0
 

Author Comment

by:psanjoy
ID: 37963473
I have done the below configurations on GPO for the AD group and server container.. Please check.

* I have created a separate OU and moved these ISA servers into that.
* Created a AD group called 'Site Admin' and added the users then associated this group to Security filtering of the GPO.
* Linked ISA Servers OU to newly created GPO (User config -> Administrative Templates -> Start Menu&Taskbar with restrictions)
* Added the users to 'Remote desktop users' group of the member servers.

Still the GPO policies are not getting activated. please assist me to resolve.
0
 

Author Comment

by:psanjoy
ID: 38043325
I configured the above settings in GPO, but still the policies are not getting replicated. pls assist me to resolve the issues..
0
 

Author Closing Comment

by:psanjoy
ID: 38092760
It is working now. Thanks for your valuable comment.  You can close the case
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now