Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

2003 SBS / 2003 terminal server config

Status
Not open for further replies.
tim55

tim55

IS-IT--Management
Sep 13, 2004
137
GB
We have a 2003 SBS with a separate member 2003 server (no Active Directory) setup solely for terminal server access, with remote users logging onto the domain via it.

In Active Directory on the SBS, we have created a TermServ security group and everyone needing remote access is added to it. On the TS, this group is then added to the Remote Desktop Users group in Computer Management Local Users and Groups.

This works fine, but now it is remote desktop lockdown time, which I assume would be best done via group policies on the SBS.

However, I can't find a 'best practice' for doing this. Can anyone outline the basic steps in setting up the servers for this lockdown?

Many thanks.
 
Sort by date Sort by votes
How do you mean? As in tighten the security on the TS machine?




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Hi. As it stands, every terminal server user has access to the Start menu and thus Control Panel etc. as well as My Computer and with a little careless messing around, they could shut down the server or worse. I basically need to stop them doing anything except run some programs from desktop links.

Tim
 
Upvote 0 Downvote
I have seen a number of explanations of how to go about this - create new OU, adapt GP as necessary, save it as new GP and apply it to new OU is the general idea - but it seems that any policies will apply to a user whether they log in via terminal services or are sitting at their desk.

I need the policy to ONLY apply to a user when logging in via the terminal server, in addition to which there may be two or three different groups of people who will be able to have greater (or lesser) access to the TS desktop.

If anyone could give me some easy steps to doing this, I would be very grateful.

Thanks.
 
Upvote 0 Downvote
If you have a set of different user names that purely use the terminal services machine, you can get away with just putting the users into the OU, and locking down the User configuration bit on its policy (the device config bit will be ignored)

If they are the same users, you need to use the loopback method
 
Upvote 0 Downvote
But that would require additional CALs. Loopback processing is specifically for stuff like this.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
653
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
505
MaioMaio
MaioMaio
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
871
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
520
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
624
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top