Permissions for users via Terminal Services

[JoshuaBuche]

Hi all,

I just got Terminal Services up and running on my 2003 Server.

But how can I enforce permissions?

What I mean is this...

Right now when a user signs on (using remote desktop) they have access to everything, mainly the Server's Drives, I obviously CANNOT have this. So what do I do?

Hope I've given enough detail.

Any help is greatly appreciated, thanks.

 

[DSummZZZ]

You have to login as an admin on that server and grant or deny permissions for that user.
Once they log in through terminal services, it's the same as if they were sitting in front of the server itself.


-Dave Summers-

Even more Fox stuff at:

http://www.davesummers.net/foxprolinks.htm

 

[JoshuaBuche]

Okay, I'll try that.

But can I stop them from seeing the local (local to the server) drives?

I'll post back, thanks.

 

[WANguy2k]

Try these:

http://www.windowsnetworking.com/articles_tutorials/Terminal-Services-Group-Policy.html

You can create a terminal server default login script by cutting and pasting:

http://www.microsoft.com/technet/scriptcenter/scripts/ts/modify/default.mspx

Good Luck!

http://technet2.microsoft.com/WindowsServer/en/Library/8b8f037a-a883-456d-a5c8-5346c6d731bc1033.mspx

 

[JoshuaBuche]

I'm not sure if I got ahead of myself on this one so let give some more info.

I got Terminal Services up and running fine (conencdted through Remote Desktop). But now I want to modify what the user can do when conencted. By default it seems they can do anything and everything.

For normal logons to the server I'm using Script Logic to map drives, and set some permissions. I basically create new users through Active Directory Users and Computers, then map their profile to Script Logic, which handles it from there.

So I'm not sure, do I need to set up Group Policies now?

Basically what are the steps I need to take to enable Terminal Services with permission, hopefully based on Users.

I'm alittle confused.

Thanks again.

 

[JoshuaBuche]

I wanted to add...

I'd basically like to create a dummy desktop that loads when someone logs on.

And I'd have shortcuts on this dummy desktop of the apps they're allowed to run. They could either save the files they create to thier home directory, or locally on the client I guess.

But that's it, they won't have access to anything else, My Computer, the Control Panel, etc.

Is what I want doable with Terminal Services?

Thanks again.

 

[WANguy2k]

I think this is what you're looking for. It tells you how to set a default desktop, limit access to drives, etc.

http://technet2.microsoft.com/Windo...a3c78eb9-92fe-42f5-98ad-ae4ad1abe4c21033.mspx

 

[JoshuaBuche]

Yes, that's exactly what I needed, thanks a ton! How do find all this stuff?!?!

Okay, I got the Group Policy permissions set the way I want, but I'm still missing something. How exactly do I tell Windows that the Policies I just created, apply to Terminal Server users?

I looked and looked and can't figure it out.

Thanks again for all the help.

 

[WANguy2k]

Almost everything you ever need to know about Microsoft products can be found online at

http://www.microsoft.com/technet

If you search the knowledge base (see link on right) for phrases like "terminal server policies" or "mandatory desktop" you can find almost anything you're trying to so, any error you'll ever encounter, etc. Check it out, especially the "How to" section.

Back to terminal server policies:
Policies for controlling Terminal Services are found in two Locations: Per-machine settings are found at Computer Configuration\Administrative Templates\Windows Components\Terminal Services

Per-user settings are found at User Configuration\Administrative Templates\Windows Components\Terminal Services

You can also set a few settings in Active Directory Users and Computers right on the user's terminal services profile.

Be careful changing policies. If you're on the terminal server, you want to make these changes to the local machine policies.

You can also do it using ADUC (Acive Directory Users and Computers). If you don't have an OU called "Terminal Servers", create one. Then move your terminal server(s) into it. Now right-click on the folder and choose properties, then group policy. You can add the new group policy here, and it will only apply to the machines in this OU.

Again, be careful changing policies. If you make a bad policy change on the default domain policy or the default domain controller policy you might have problems.

Plans are worthless, planning is everything.

http://technet2.microsoft.com/WindowsServer/en/Library/aef8138c-b033-45f9-802b-0bc3b0fa65ca1033.mspx

Good luck!

 

[JoshuaBuche]

See, I've done all that except one thing, moving the Terminal Server into the new OU I created, but I dont see it. We only have one Server, I'm using this one server as the TS too. (please see screen shot--Onyx Terminal Server and Test are OU's I created)

Am I missing something totally obvious?

Thanks again for all your help.

 

[WANguy2k]

If you only have one server it's the domain controller, right? Then don't move it. Just go into the local policy settings on your one server and make the policy changes in the "terminal services" section.

 

[JoshuaBuche]

Yes, it's the Domain Controller.

I'll try the Local Policy Setting right now.

 

[JoshuaBuche]

Well I think I'm giving up.

I've searched everywhere for local policy settings + terminal services and can't find anything. Are you sure that exists?

Why is this so difficult?

 

[WANguy2k]

I think you already did it, if you used the group policy editor to set the settings. It defaults to you local machine policy.

Do Start, Run, GPEDIT.MSC

That gets you in to the policy editor.

 

[JoshuaBuche]

Yes, you're right, I used GPEDIT.MSC to create the Policy, I named it Test GPO.

(BTW, I've tried putting it everywhere, right now it's under the Domain controller, but I have tried moving it around)