Terminal Server Best Pratice GPOs

I have just recently deployed a terminal server for a small business with 5 users, I was wondering if someone here could help me apply the following restrictions, also any other well recommended restriction in order not to let users screw-up the server will be well appreciated. I have never used GPOs before so details instructions is a must. Thanks a lot.

1. How to restrict users to access only certain website sites?
2. How to restrict users to access the c drive, I would like to allow users access only to their user profile.
3. How to remove access to control panel and other menus, I will leave just the shortcuts on the desktop nothing more.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
you only assign the user remote desktop users and power users, this remove most of the administrator rights

For example, access will be remove, like accessing someone else profile and changing systems configure in control panel. but keep the end user capability to change whatever they want.

If it become unusable, just recreate their profile will do.

This is mos easiest way to achieve what you want (except step 1, this is a not terminal server issues, rather then web browsing issues)

if you want to go further, GPO is the way forward

you need a loopback policy like this

if you want to know more about which policy to turn on,

but for a 5 user company, i will take away their administrator rights on the terminal server, they will give them the flexibility and give you the protection.
jdffAuthor Commented:
What about the website control, this is the most important for me.
Muhammad BurhanManager I.T.Commented:
edit hosts file like       www.youtube.com       www.facebook.com       www.hotmail.com

and remove Proxy setting within each users profile that will bypass the hosts file.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Jian An LimSolutions ArchitectCommented:
actually thinking of that, install a dns server locally
do not allow dns to go out to external dns unless authorised website.

point your terminal server to the dns server.

however, this is very annoying but you can fine tune it until it is ready.

A better way is to get a web proxy service  but that become complex
jdffAuthor Commented:
I need to get this done, can you please explain the process?

thank you
Jian An LimSolutions ArchitectCommented:
1. install DNS server on terminal server

2. configure terminal server to use local DNS (it own IP address)

3. make sure you can't browse internet (make sure you don't have (or delete)default forwarding)
https://technet.microsoft.com/en-us/library/cc816830(v=ws.10).aspx <-- MUST NOT CONFIGURED

4. configure conditional forwarding (for the domain you want to

Of course, this is assume that none of your users are administrator, if not they can bypass this.
jdffAuthor Commented:
Jian, if I install a DNS server on the terminal server and point the server to the local DNS server it will stop talking to the domain controller, don't you think?
Jian An LimSolutions ArchitectCommented:
you can do alot more on DNS server :)
for example, you can forward your domain controller related query back to your main domain controller.

thats is called conditional forwarding

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.