Re: Terminal Server on Domain Controller (yes, i know)
- From: Dennis Procopio <DennisProcopio@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 May 2005 06:45:15 -0700
Thanks,
I considered trying that out, but wasn't sure exactly what it did, couldn't
follow the description that well. I'm going to try it anyway, but if you
could elaborate I'd appreciate it.
Thanks!
"Vera Noest [MVP]" wrote:
> If you just define a TS-specific roaming profile, users will get a
> copy of the Default User profile on the Terminal Server, which
> should be without any special settings. If you want to, you can
> first modify the Default User profile with a test account.
>
> But it's not really the profile that's your problem (although I
> absolutely recommend you to create TS-specific profiles to avoid
> profile corruption!), it's the Group Policy with the Folder
> Redirection.
>
> In a normal setup, with the TS a member server in the domain, you
> could easily solve this problem by defining a separate Group Policy
> for the Terminal Server, and use "loopback processing" with the
> "Replace" option, to avoid that the Group Policy with the Folder
> Redirection affects the users when they log onto the TS.
> I'm not sure if this also works when the TS is a Domain Controller.
> I always believed that it didn't, but a couple of weeks ago someone
> reported that it did work in those situations as well. I haven't
> tried it myself, but you could easily test it.
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> =?Utf-8?B?RGVubmlzIFByb2NvcGlv?=
> <DennisProcopio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 20 maj 2005 in
> microsoft.public.win2000.termserv.apps:
>
> > I thought of this. However, the group policy (which includes
> > folder redirection), which I think might be causing the problem,
> > would still be inherited for the user's login, would it not?
> > What's the best way to create a very simple mandatory profile
> > that includes virtually nothing but this application that I need
> > to run? Any ideas? Thanks!
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> You cannot logon without a profile, and I would avoid at all
> >> costs to create a separate user account for each user.
> >> But what you should do is define a separate TS-specific profile
> >> for each user in their AD account properties.
> >>
> >> --
> >> Vera Noest
> >> MCSE,CCEA, Microsoft MVP - Terminal Server
> >> http://hem.fyristorg.com/vera/IT
> >> *----------- Please reply in newsgroup -------------*
> >>
> >> =?Utf-8?B?RGVubmlzIFByb2NvcGlv?=
> >> <DennisProcopio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 20 maj
> >> 2005:
> >>
> >> > Windows 2003 SP1 Domain Controller
> >> > Terminal services environment (had to install on DC, only 1
> >> > server) XP/2k workstations
> >> > Local profiles
> >> >
> >> >
> >> > I am hosting an application on a TS server (loads at TS logon
> >> > as indicated in TS Configuration.) The users have local
> >> > profiles on their systems, but authenticate to the domain via
> >> > AD (obviously.) When they use remote desktop to connect to
> >> > the domain controller's terminal services environment they
> >> > authenticate using the very same AD username/password. Their
> >> > usernames are in a "Main Office" OU, with a policy placed on
> >> > it for folder redirection, among other things, but FD seems
> >> > to be a big problem here. When logging off of the terminal
> >> > server (sometimes logging on, but not as drastic), the
> >> > session hangs. Therefore they need to disconnect and wait for
> >> > the 1 minute to pass in order for the server to reset the
> >> > session. Because they have "Log on via terminal services"
> >> > rights as set in the Domain Controller GPO, local profiles
> >> > are on the DC for each user. I'm thinking...how can I
> >> > authenticate these users to this domain controller's terminal
> >> > services without loading their profile, but allow their
> >> > profile to load when they log in locally to their machine
> >> > (and retain the "Main Office" GPO)? Can I simply start an
> >> > application for each user that logs in without having to
> >> > load/unload a profile? If I have to go the route of creating
> >> > new TS user objects for each existing user (which I could if
> >> > need be), and putting them in their own OU, what is the most
> >> > streamlined way of doing this if they are only using one
> >> > application under terminal services? Any suggestions on
> >> > securing the DC against these users? Please note that the
> >> > application they use also brings up wordpad, so I can't
> >> > restrict access to that. I know this is a mess, no IT
> >> > budget, just started here and trying to secure this server.
> >> > Thanks!
>
.
- Follow-Ups:
- Re: Terminal Server on Domain Controller (yes, i know)
- From: Vera Noest [MVP]
- Re: Terminal Server on Domain Controller (yes, i know)
- References:
- Terminal Server on Domain Controller (yes, i know)
- From: Dennis Procopio
- Re: Terminal Server on Domain Controller (yes, i know)
- From: Vera Noest [MVP]
- Re: Terminal Server on Domain Controller (yes, i know)
- From: Dennis Procopio
- Re: Terminal Server on Domain Controller (yes, i know)
- From: Vera Noest [MVP]
- Terminal Server on Domain Controller (yes, i know)
- Prev by Date: Re: Revoke Terminal Server Per Device Licenses
- Next by Date: Re: Uninstall TS Cals from Licencing Server
- Previous by thread: Re: Terminal Server on Domain Controller (yes, i know)
- Next by thread: Re: Terminal Server on Domain Controller (yes, i know)
- Index(es):
Relevant Pages
|
