User Settings--Logged on to Domain vs. RDP Terminal Services

[ShawnF]

Hello,

I've been trying to find information for some time now on how to handle user accounts for people that sometimes log on to a Windows 2000 domain on their "office" desktop computers with XP Pro, then sometimes go on the road with a laptop computer and tie in to our network via Terminal Services (remote desktop connection). The Terminal Services environment is very locked down for these users so they can't do things like shut the server off, gain access to the My Computer Icon, Recycle Bin, etc....

The specific trouble I'm having setting up these accounts is if I make a special Organizational Unit for these users with all the restrictions in place for the Terminal Services connection via laptop computer, then these restrictions also affect their environment when they are logging on to the domain directly from their desktop PC's. Obviously, I don't want that to happen!

To work around this, I've had to create second logins for these people (e.g. george and george2), but this has gotten really tricky with Outlook 2000 E-mail set up for an Exchange 2000 server as I have the secondary login pointing to view the mail of the first login. It "works" and E-mail can be viewed, but when I try to reply or forward an E-mail, I get an error that says I do not have permission to send on behalf of the user. I already have the secondary user set up as a delegate with full permissons for the primary user account. I can send new E-mails no problem--just can't reply.

I tried specifying Organizational Unit restrictions based on the computer the person is logging on to, but those restrictions aren't taking effect....

Hopefully this all makes sense to someone, as I've been struggling with it for many months.

Thanks,

ShawnF

 

[minxca]

So, Why don't you setup Local policy on the TS Server

 

[ShawnF]

Because I limit the user's environment through the Active Directory Oranizational Units I've made, and those capabilities are not the same as the local domain policy. I want to be able to hide desktop icons, limit program and drive access, and limit ability to change settings, add/remove software or hardware. If I recall correctly, most (if not all) of these settings are not available in the local domain policy.

 

[blt975]

ShawnF,

Have you found a solution to this problem yet? I am currently dealing with the same situation here. Thanks for any info.

Brian

 

[mwiner]

There is a solution to your problem. It is the Loopback processing. In group policies it can be found in Computer Configuration\Administrative Templates\System\Group Policy and the name of the policy is "User Group Policy Loopback Processing Mode"

I highly suggest looking into it because it does EXACTLY what you are trying to do. As you read though it sounds confusing but it really is simple.

Think of it this way... You have a user in the "Standard User" OU. This user logs into their desktop and gets whatever GPOs that are applied to them in their OU right? Ok... Now this user logs into the terminal server. This user gets their locked down user policy, the same as their desktop. To solve this: Put your Terminal Servers in it own OU, set a GPO to it to Enable Loopback Processing Mode - probably in replace mode (which as you see is a Computer Policy). Now with this enabled you can set USER CONFIGURATION policies to the terminal server. When your users log into the terminal server their group polices from their OU are stripped out (replaced) by the Terminal Server computer AND user configuration settings. viola!

Only one set of usernames to worry about and the ability to assign computer and user configuration to a machine not directly to a user.

That should help you out, because I went through the same thing a year ago. But loopback fixed it.

Good luck,

-Matt