Re: Securing TS environment

From: Vera Noest [MVP] (Vera.Noest_at_remove-this.hem.utfors.se)
Date: 12/09/04 

Date: Thu, 09 Dec 2004 07:18:22 -0800

Yes, assuming you have an AD domain, create the security group for
restricted users in the AD. And that's also where you define GPOs.
You might want to do some reading on Group Policies, explaining
the ins and outs of GPOs is beyond the scope of this newsgroup.
And the articles I referenced contain already quite detailed info.

 --
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?c3RvY2tjYXJzcnVz?=
<stockcarsrus@discussions.microsoft.com> wrote on 09 dec 2004:

> Thanks Vera,
>
> I do not however know where to do step 1 and step 2 and I guess
> 3 then. I would need some detailed instructions if possible. I
> assume that this is done on the domain controller, Active
> Directory Users and Computers... but not sure.
>
> Thanks
>
>
> "Vera Noest [MVP]" wrote:
>
>> 1. Create a security group called "Restricted Users" (or
>> something to your liking; this is not a preserved name)
>> 2. Define a restrictive GPO, link it to the OU that contains
>> your Terminal Server, use "loopback processing" of the GPO with
>> the "Replace" option.
>> 3. Edit the Security settings of the GPO, add the Terminal
>> Server computer account and the user group "Restricted Users"
>> to the list and give them "Read" and "Apply this GPO" rights.
>> Make sure that Administrators have "Deny" for "Apply this GPO"
>> and remove "Authenticated users" from the list
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> =?Utf-8?B?c3RvY2tjYXJzcnVz?=
>> <stockcarsrus@discussions.microsoft.com> wrote on 08 dec 2004
>> in microsoft.public.win2000.termserv.clients:
>>
>> > I have users with thin clients connecting to a terminal
>> > server. I would like to restrict some of the users to not be
>> > able to see the following: -control panel, network
>> > neighborhood,Run buttons, drive letters etc.. There are some
>> > users that like to "Play" and I would like to only allow
>> > these particular users to have access to the applications
>> > that I have on their desktops. How do I go about doing this?
>> > I don't want to restrict all users, just a few.
>> >
>> > Thanks