Can a user be a member of two OUs with 2 seperate policies?

[xAOx]

Q: Can a user be a member of two OUs and policies would apply based on the hierarchy of the OUs?

Example: User Bob is a member of Domain Users and Terminal Users groups. When he is in the office, he logs in to the network from his laptop and uses network resources. When he is out of the office (out of state), he logs into his laptop with cached credentials and then uses Remote Desktop Connection to log into our terminal servers.

There are obviously two seperate policies for Domain Users that log into the network and for Terminal users that log in remotely. One is basic and the latter is very restrictive (cant view C:/, cant save passwords).

Is this possible?

 

[mrdenny]

No a user can't be in two ous.

However the user can be effected by two GPOs (which is I think what you are trying to do). Set the GPO based on the machine, not the user. This will assign different settings depending on the machine that the user logs into.

Basically place the terminal servers into a sepperate ou, and assign a specific GPO so the Terminal Servers GPO so that everyone is locked down when using the terminal server.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[NetIntruder]

There actually is a software that can accomplish this, though for the life of me I can't remember the name of it.

However, mrdenny has the right thought on this one anyhow.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[xAOx]

That's a pretty good idea mrdenny. My terminal server is also a backup domain controller (they replicate), so can I just place the GPO in the default 'DOMAIN CONTROLLERS' OU?

Thanks a bunch....

 

[mrdenny]

I wouldn't place the settings on the domain controlers GPO. I would create a new gpo with the settings and assign it to the specific machine in question.

It's also not a good idea to allow users RDP access to a domain controller. You may want to look at moving the DC functions off of the terminal server and on to another machine.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[xAOx]

My terminal server serves as my backup domain controller (through replication of AD, etc.) but users are RDPing to the Terminal Server not the actual Domain Controller. I am trying to make it as secure as possible through GPOs and looking into SecureRDP and other things that is why I ask.

So just to sum up your advice, I should implement a GPO specific to my Terminal Server machine (i.e DC2). This way anyone that RDPs into DC2 will automatically have the DC2 computer configuration settings applied?

 

[58sniper]

If you want it to be more secure, move TS to a separate server - and not the DC. That's generally considered a bad idea (having TS on a DC).

Pat Richard, MCSE MCSA:Messaging CNA MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[xAOx]

TS is its own server. It just serves as a backup to DC in case DC goes down. I have 3 servers; 1 DC, 1 TS, 1 Application Server. I would welcome any advice to make it 'more' secure but I think I have it pretty locked down with GPO settings and securerdp...

my only question is in what Container/OU do I put GPOs so that users will *only be effected when they use RDP* to connect to the terminal server and not just when there logging in on the network regularly. (like in example in first post).

 

[mrdenny]

You put the GPO on the OU that the server is in or on the server it self.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[TheLad]

xAOx - in W2K3 and AD, a Domain Controller is a Domain Controller, there are no PDC or BDC DC roles (athough some of the higher functions may reside on one DC). What the guys are trying to say is that it is advisable to not run a TS on a DC because whether or not you class this server as a backup to your "main" DC, this server is a DC in it's own right.

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[xAOx]

Oh I see. Sorry for the misunderstanding about that.
Well, that's how I was instructed to set it up and I know it is advisable to have a "backup" DC anyway. It would be quite expensive to purchase another server at this point JUST for Terminal Services. I understand the concern now but if anyone can point out why this is not a good idea, I am willing to listen and maybe discuss it with management.

But this thread has answered my original question so thanks guys.

 

[mrdenny]

By having the users RPD directly to a DC you are granting them physical access to the entire Active Directory password database.

It probably wouldn't be all that hard for a user (or hacker) to take control of the Active Directory database and pull out all the passwords or update the database and replicate those changes out (by say creating a new account with domain admin rights, changing passwords, etc).

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[xAOx]

Anything is possible. All it takes is a little research I guess

I am just going to hope for the best. I mean, I agree with your risk analysis but I was given these servers and these servers only. To ask for an additional server just for terminal services would probably not sound too well. I know the risk is overwhelming compared to the cost but that's why I hope strong password enforcement, tough GPOs, and secureRDP can prevent some of these things. I'll look into what else I can do.

 

[58sniper]

I think you should advise them that having TS on a DC is not a good idea, and recommend a stand alone box. If they disagree, fine. But you can throw that back at them when someone compromises the DC.

Pat Richard, MCSE MCSA:Messaging CNA MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[mrdenny]

Agreed. At this point to need to get in writing that you recommended moving the DC off of the TS so that when they overwride you in writting you can use that to CYA if something does happen.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[xAOx]

Since the Terminal server replicates the Domain controller, I just realized that I cannot create a GPO based on "Computer Configurations" because when I do edit the computer config part it says [dc.mydomain.com] instead of [ts.mydomain.com]. I am guessing this is because the TS is set as the backup DC and not its own computer server? Am i correct in this assessment?

Again, what I am trying to do is prohibit certain actions when users are not logging into the network (dc) but rather from out of state through terminal servers (ts).