GPO with Terminal Services, HELP PLZ URGENT

[Corneliu]

I been beating my head for last 2 days to get this to work and I just cant figure this out:

I have offices from differnt places Remoting into our server. We have the following:

1: DC Server = Windows 2000 running as PDC with Active Dir
2: Terminal Server = Windows 2000 running TS

The DC server is called SiteA
The Terminal Server is called WWW

When users remote in, they logon to the SiteA Domain, but keep in mind that the Terminal Server is running on WWW.

I am trying to figure out how to restrict users from accessing local hard drives, desktop settings, network computers etc etc. I know you can use GPO to do this, but I tried and does not work.

This is what i did.

I created a OU in SiteA. Under that OU I created a Group Policy and removed all the things that i needed (changes to desktop, icons from desktop, rights to network ,etc etc).
Then I went ahead and added the user names that remote in into that OU.

OU Name = TS-Users
Under OU, I added users (Janes, Michaelp, etc).

Now, when I test the connection (I use a local office PC to test the connection thru Remote Desktop Connection), I logon and the desktop, and it still shows the network icon, I can make changes to the desktop, have access to the server's drives (the

http://WWW server

drives).

What am I doing wrong? Why the Group Policy does not take effect?

PLZ, anyone can help me here I really appreciate it very much.
Been trying this for a long time now and just cant put my hand on what i am doing wrong.

THANK YOU THANK YOU THANK YOU...

 

[srav]

you say these machines connect remotely are they on the same domain as the PDC? what type of connection is it a VPN? when you apply the GP to these machines are they all connected remotely htthey wont pull the GP down sometimes if there not connected first.

have you tried connecting remotely to the server, the gpupdate from CMD? if not create a local policy and retricted desktop. have you checked what type of users you are trying to apply this policy to i.e. check what level of access the users have.

 

[Corneliu]

The users are from differnt offices, and they are not on the same domain as the PDC.
They VPN in the

http://WWW Server.

I did not apply the GP to the machines, rather I applied them to the user IDs, so that when they logon, it would take effect, but apparently did not.
I tried to do gpupdate, but I get a unknown command. I read about that on the technet, but did not help at all, don't know why.
The users are just regular users, no power rights or admin rights or anything like that.
Basically, the only way I found it to work is if I logon as the user, and then use PolEdit to edit their login. Once they logon, I can change the rights and save it to the registry, but I have to do this to each user separate and can only be done when the user is logon, which for 78 users takes a VERY VERY LONG time and don't want to keep doing this all the time.

Anyone can help me here please?
Are there any logs where I can see why they are not taking effect?
Anyone, PLZ????

 

[VinceF]

Open up the GPO, and go to User Configuration, Administrative Templates, Windows Componenets, WIndows Explorer. THere you will find the settings to restrict drives and such.

Also, on the Desktop settings you can set the wallpaper.

 

[Corneliu]

I did that and:

I am testing the user account as follows:

I go into Remote Desktop Connection and remote into the Terminal Server (

http://WWW Server).

I logon to the Domain SiteA (Terminal Server and DC cannot be on the same server). When I do this, the user has all the rights, drives, right to change control panel items, etc etc.

Now, I logon the server SiteA with the user's ID and password from within the LAN. When I logon, the user has all the restrictions in place that I set (no drives, no access to control panel , etc etc).

Now, why is this? It is different when you logon thru TS VS logon to the Domain thru Local LAN????

I don't get this one? I followed the steps TechNet and some of the user's here on Tek Tips says to do and still is not working when user comes in thru Terminal Server.

Any clues, anyone can help me PLZ PLZ?

Thank You...

 

[VinceF]

A couple of things to check.

Try using the IP Address to the terminal server...does it work then? If so, you have a DNS conflict and you are getting the wrong server using www.

gpupdate doesn't come with WIndows 2000, try a re-start of the server.

Are you using a roaming profile for terminal services but not for regualr logons, this couls make a difference.

Run a test of the policy results vs different machines, make sure no part of the GPO is blocked for testing.

 

[Corneliu]

I can use the IP or the DNS name WITHOUT any problems. These are normal profiles, not roaming.
The policy works whenever I logon from with the LAN (without Remote Connectivity) from ANY computer in the company, but yet the same user does not work when he/she tries it from Remote Connectivity thru Terminal Server.

Seems like the policy only works when you logon normally, but not when you Remote into the TS Server.

If you create a GPO for a group of users and you test it and works when you logon from with the LAN, should not that work for users when they logon thru Terminal Server? Are there different GPOs for local LAN VS Terminal Server?

All the accounts have been tested on the same server with same user IDs, but within the local LAN. When tested thru Remote Connection, does not work. It just does not make sense. Are there any logs I can look at to see why it did not work when the user Remoted in? And if Yes, where can I see those logs?

THANK YOU...