Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Server - Microsoft KB325351

Status
Not open for further replies.
MasterPhil

MasterPhil

IS-IT--Management
Jul 6, 2004
52
GB
I am trying to get my head round locking down terminal services so the users can't do anything except access one particular program.

According to that article, once I have used gpedit to lock down the server, I then have to log on to the server as every user that I want the lockdown to apply before putting an open registry.pol back in the right place to allow the administrator to have full access.

Two problems:-

1. Surely this means that any new user I create will not have the locked down version of the policy.
2. I have to get 300 users to log into the server to get the lockdown policy before I can complete the process and if anyone is missed out they get the open policy.

This is crazy! I can't believe I have read this correctly!

Help?


Phil
 
Sort by date Sort by votes
Why not just do some of your own customizing using group policies and ntfs permissions? Piece of cake..

Lock down (permission wise or through GP's) everything except the program they want.

You can remove EVERY icon from the desktop that is important, lock down the start menu, control panel, display, cmd, bla bla bla... no need to be screwin with 300 logins..

Here, in you AD users and computers, create (if you haven't already) a seperate OU for your users. Then create a GP for that single OU. Then go to the properties of that GP and under USER configuration of it, hit the System section, Desktop, Start Menu and Taskbar, Control Panel, Explorer, there's probably more, but it should only take you a couple of minutes.

Good luck
snoots
 
Upvote 0 Downvote
Won't that also lock down their existing desktops?

I only want to lock down the terminal server desktop and as the AD domain sits on a W2K box it lacks a lot of the W2k3 TS options...... I think.
 
Upvote 0 Downvote
So, the terminal server is a 2k3 machine and ad is currently running on a 2k DC. k.. um.....

It shouldn't matter! You should be able to lock down whatever you want via GP. And, if you can't do it with that, that's what I was saying use the NTFS permissions on it. Even on the Start menu if you want!
 
Upvote 0 Downvote
You could put the terminal servers in their own OU, set a new GP in that OU and tie it down. in that OU GP also set Computer config\administrative templates\system\group policy to enabled and configured for either Merge or replace. This will then either Merge the new Policy with the users current policy or replace it. But only when they log onto one of those terminal servers.
( I think !!!! )
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
259
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
210
MaioMaio
MaioMaio
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
399
gbaughma
gbaughma
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
388
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
307
suncit
suncit

Part and Inventory Search

Sponsor

Back
Top