Terminal Server Best Pratice GPOs

I have just recently deployed a terminal server for a small business with 5 users, I was wondering if someone here could help me apply the following restrictions, also any other well recommended restriction in order not to let users screw-up the server will be well appreciated. I have never used GPOs before so details instructions is a must. Thanks a lot.

1. How to restrict users to access only certain website sites?
2. How to restrict users to access the c drive, I would like to allow users access only to their user profile.
3. How to remove access to control panel and other menus, I will leave just the shortcuts on the desktop nothing more.

Thanks
LVL 1
jdffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
hi,
you only assign the user remote desktop users and power users, this remove most of the administrator rights

For example, access will be remove, like accessing someone else profile and changing systems configure in control panel. but keep the end user capability to change whatever they want.

If it become unusable, just recreate their profile will do.

This is mos easiest way to achieve what you want (except step 1, this is a not terminal server issues, rather then web browsing issues)

if you want to go further, GPO is the way forward

you need a loopback policy like this
https://support.microsoft.com/en-us/kb/260370

if you want to know more about which policy to turn on,
https://technet.microsoft.com/en-us/library/cc770884(v=ws.10).aspx

but for a 5 user company, i will take away their administrator rights on the terminal server, they will give them the flexibility and give you the protection.
0
jdffAuthor Commented:
What about the website control, this is the most important for me.
0
Muhammad BurhanManager I.T.Commented:
edit hosts file like
127.0.0.1       www.youtube.com
127.0.0.1       www.facebook.com
127.0.0.1       www.hotmail.com

and remove Proxy setting within each users profile that will bypass the hosts file.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Jian An LimSolutions ArchitectCommented:
actually thinking of that, install a dns server locally
do not allow dns to go out to external dns unless authorised website.

point your terminal server to the dns server.

VIOLA.
however, this is very annoying but you can fine tune it until it is ready.

A better way is to get a web proxy service  but that become complex
0
jdffAuthor Commented:
Limjianan,
I need to get this done, can you please explain the process?

thank you
0
Jian An LimSolutions ArchitectCommented:
1. install DNS server on terminal server
https://technet.microsoft.com/en-us/library/cc725925.aspx?f=255&MSPPError=-2147217396

2. configure terminal server to use local DNS (it own IP address)

3. make sure you can't browse internet (make sure you don't have (or delete)default forwarding)
https://technet.microsoft.com/en-us/library/cc816830(v=ws.10).aspx <-- MUST NOT CONFIGURED

4. configure conditional forwarding (for the domain you want to 8.8.8.8)
https://technet.microsoft.com/en-us/library/cc794735(v=ws.10).aspx


Of course, this is assume that none of your users are administrator, if not they can bypass this.
0
jdffAuthor Commented:
Jian, if I install a DNS server on the terminal server and point the server to the local DNS server it will stop talking to the domain controller, don't you think?
0
Jian An LimSolutions ArchitectCommented:
you can do alot more on DNS server :)
for example, you can forward your domain controller related query back to your main domain controller.

thats is called conditional forwarding
https://technet.microsoft.com/en-au/library/cc757172(v=ws.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.