Re: win2003 terminal server network

From: Filippo (inutile_at_nospam.com)
Date: 02/17/04 

Date: Tue, 17 Feb 2004 19:31:09 +0100

Hi Jeff,

I am sorry, but my explanation was not good at all! :-)

I logged in the TS as regular user to test what I could do and what I could
not.

I didn't want to install an application and I don't want users to do it.
I was surprised that the installation process was started at all, so I went
trought it to see what happened.

I applied all the restrictions mentioned in the documents you pointed me to,
but a regular user is still able to run an installation process that writes
directly to C drive

I want to disable this!, not to allow!!
------------------------------

The server we are talking about is a regular Win2003 server + exchange, non
an SBS,
and I know that it is very unsecure to use a DC as a TS in App mode, and I
had a fight with the costumer about that, but that whas his decision....

About the memory question, attached you will find a print screen of the
processes tab of task manager while no users connected to the server.

P.S.: I apoligize for my english

"Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> ha scritto nel messaggio
news:ea15tGK9DHA.2760@TK2MSFTNGP09.phx.gbl...
> To install any application on a TS Apps mode server, you need to run the
> installation program by going to the Control Panel | Add/Remove Programs
and
> choose the installation routine from there. You can't just click an icon
on
> the desktop from any users session, but you can run the program from
> Add/Remove that way. In any case, only an Administrator priv user can run
> installation of software.
>
> You should avoid installing shared applications in the manner you
described.
> In the case you just mentioned, it probably failed because you were
running
> as a regular user, not an Administrator.
>
> You should be aware that by making this a Domain Controller, you are
adding
> unneccessary overhead to the computer operations, and this also means that
> you will be allowing all users who need to use the computer in Apps mode
TS
> sessions to be logging onto a DC, and that's a security problem.
>
> If you had sane reason to allow all users to add programs on their own (I
> can't imagine this), you would have to make them all members of the
> Administrator's group for this workstation, but that makes them all Domain
> Administrators. You are really on the edge of being out of control of this
> machine.
>
> It is not normal for a Windows Server to consume that much memory without
> something else running. However, despite the earlier part of the
> thread.....I get the feeling that you are telling me you are talking about
> the SBS is this computer in question?
>
> You can run Task Manager to see what processes are consuming the large
> portion of RAM, and report that back here for more advice.
>
>
> "Filippo" <inutile@nospam.com> wrote in message
> news:%23XFbc$H9DHA.632@TK2MSFTNGP12.phx.gbl...
> > Hi Jeff, I am here again!
> >
> > I have installed the server and configured it according to the document
> you
> > pointed me to.
> >
> > Everythins seems to run fine, but I have two more questions:
> >
> > - I logged into terminal server as a standard user, downloaded a program
> > from a web (accounting program)
> > I ran the .exe to installed it and I WAS ABLE TO COMPLETE THE
INSTALLATION
> > process.
> >
> > The program created a folder in C: drive even if the user had no write
> > access to c:
> > Just the ODBC driver installation failed.
> >
> > How can I avoid this???
> >
> >
> > - second question: the terminal server is also domain controller, it has
> > exchange, veritas backup exec and antivirus software (I know this ie
VERY
> > bad, but I was instructed to do excacly this) and when it is idle (no
user
> > logged in, no programs running) it eats more than 4 Gb of memory (the
> server
> > has 3 Gb installed)...
> > ... is this normal???
> >
> >
> > Thank you again and again and sorry for bothering you (and all the NG)
> with
> > this question...
> >
> > Filippo
> >
> > "Filippo" <inutile@nospam.com> ha scritto nel messaggio
> > news:ufbhW177DHA.632@TK2MSFTNGP12.phx.gbl...
> > > Thank you again Jeff,
> > >
> > > I read all the documents you suggested and I found all of them very
> > > interesting.
> > >
> > > I installed the server and some application:
> > >
> > > - Exchange 2003
> > > - Veritas Backup Exec 9.1
> > > - Network Associates VirusScan 7.1 + GroupShield 6.0
> > >
> > > I will install IBM ClientAccess for AS400 and Office2003
> > >
> > >
> > > "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> ha scritto nel
> > messaggio
> > > news:OHdgzio6DHA.1948@TK2MSFTNGP12.phx.gbl...
> > > > He's refering to Active Directory which is the core of the Microsoft
> > > > Networking and Authentication process. In other words, when you
> connect
> > > > computers together in your network, and you have users logon for
> > sessions,
> > > > the computers and the users need to have identities so that
everything
> > can
> > > > be authenticated to support and control access. Though it's unlikely
> > that
> > > > you are doing this with the AS/400, it's not impossible I suppose.
> More
> > > > likely is that the AS/400 is hosting a particular set of
applications
> > and
> > > > that you plan to run the rest of the network with a Windows Domain,
> > using
> > > > Active Directory to maintain all the accounts.
> > > >
> > > > When you install SBS, it is a core part of the installation that SBS
> > > > establishes a new domain, and that is managed by the Active
Directory
> > > > services that install automatically. From there, you create all the
> user
> > > > accounts you need, and then add the Windows based computers to the
> > domain
> > > as
> > > > well. Once both of these steps are completed, you now have a feature
> > > > available to you known as Group Policies. Group Policies are a
> function
> > > > configuration of features for the computers and user sessions that
> allow
> > > > dynamic configuration when the computer is started, or when a user
> logs
> > > on.
> > > > The dynamic aspect means that you can configure all of this at a
> single
> > > > location on the SBS as the AD Domain Controller for you network, and
> > Group
> > > > Policies are the mechanism that "pushes" the dynamic configuration
to
> > each
> > > > computer on demand.
> > > >
> > > > Therefore, in order to use Group Policies, you must an AD Domain,
you
> > must
> > > > have the user and workstation involved as a member of that domain,
and
> > > from
> > > > there you must go about configuring the individual policies and
policy
> > > > settings in each policy you want to apply. Robert is suggesting that
> > your
> > > > interest can be addressed in that way.
> > > >
> > > > If for some reason you were not able to meet all the conditions I
just
> > > > identified, then it can still be accomplished by manually setting
the
> > > > conditions as a "Static" not a dynamic policy on that specific
> computer.
> > > In
> > > > this way, the computer need not be part of a domain, or in fact you
> > > wouldn't
> > > > even need a domain for this purpose. However, this requires
> > implementation
> > > > individually at each workstation, and you lose some ability to
filter
> > this
> > > > stuff on a per user basis.
> > > >
> > > >
> > > > "Filippo" <inutile@nospam.com> wrote in message
> > > > news:eYp2NOn6DHA.2300@TK2MSFTNGP10.phx.gbl...
> > > > > Thank you Robert.
> > > > >
> > > > > One more question:
> > > > >
> > > > > You say "if you have a AD domain": since I am installing the new
> > Win2003
> > > > > server
> > > > > I suppose I should install AD too, right?
> > > > >
> > > > > this will be the only server on the network (plus the AS400
> mainframe)
> > > > >
> > > > > Thanks again,
> > > > >
> > > > > Filippo
> > > > >
> > > > >
> > > > > "Robert King [MSFT]" <a-rking@online.microsoft.com> ha scritto nel
> > > > messaggio
> > > > > news:ZR0WIkm6DHA.3032@cpmsftngxa07.phx.gbl...
> > > > > > Use Group Policy. If you have a AD domain, you'll want to
> implement
> > > > from
> > > > > > the Active Directory Users and Computers. If no, then you can
use
> > the
> > > > > > local policy on the 2k3 server and yes this is off subject.
Here
> is
> > a
> > > > > link
> > > > > > for you.
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
> > > > > > ol/windowsserver2003/proddocs/techref/W2K3TR_gp_intro.asp
> > > > > >
> > > > > > Robert King
> > > > > > Microsoft Product Support Specialist
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > > --------------------
> > > > > > |
> > > > > > | This is probably off topic, but I don't know where to post it
> and
> > > this
> > > > > > | newsgroup is so cool!
> > > > > > |
> > > > > > | I have a customer with a network w/ 20 pc (win98 and win2000)
> and
> > a
> > > > > > | mainframe for accounting software and file server.
> > > > > > |
> > > > > > | We are installing a windows 2003 terminal server.
> > > > > > |
> > > > > > | I wish to run all the applications on the server and keep only
> > > > iexplorer
> > > > > > on
> > > > > > | the workstations, so, even if users surf websites or check
their
> > > mail
> > > > > from
> > > > > > | the web they don't infect the server or waste server time.
> > > > > > |
> > > > > > | My question is:
> > > > > > |
> > > > > > | how do I do this?
> > > > > > |
> > > > > > | I would like to block all access to the server (mail ports,
file
> > > > > sharing,
> > > > > > | etc) and keep only TS port available to clients.
> > > > > > |
> > > > > > | I want to lock down workstations so that users can't change
too
> > many
> > > > > > | settings or install apps.
> > > > > > |
> > > > > > | I want to define a defalut desktop for groups of users.
> > > > > > |
> > > > > > | One more questions:
> > > > > > | I have 10 OEM licences for Office 2003 Basic: can I use these
> CDs
> > to
> > > > > > install
> > > > > > | on Terminal Server (provided that I own the appropriate TS
CALs)
> > > > > > |
> > > > > > | Thanks,
> > > > > > |
> > > > > > | Filippo
> > > > > > |
> > > > > > |
> > > > > > |
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... After installing a parallel copy of WIN2K SERVER, ... Administrator access in Directory Services Restore Safe Mode. ... > Thanks Roger - OK - just finished a second windows server installation> to ... > Will try this and see if she boots up in the first installation.... ...
    (microsoft.public.win2000.security)
  • RE: installation error at server application installation
    ... This issue may be cause if there are some errors with the administrator ... Under Component Selection, set Server Tools to ... Microsoft CSS Online Newsgroup Support ... installation error at server application installation ...
    (microsoft.public.windows.server.sbs)
  • Re: Trouble Launching Apps
    ... overs from the previous installation, in HKLM and the shadow area, ... Administrator account (or deleting the existing user profile of the ... MCSE, CCEA, Microsoft MVP - Terminal Server ... users, regardless if they also installed the app, can access it. ...
    (microsoft.public.windows.terminal_services)
  • Re: ActiveX is installed but runs only for Administrator
    ... My application runs only for the Administrator who installed the ... Some applications create HKEY_CURRENT_USER registry settings the ... installation, and WHILE THE SERVER IS STILL IN INSTALL MODE. ...
    (microsoft.public.windows.terminal_services)
  • Re: Adobe Acrobat 7 on TS
    ... My standard procedure after each installation is to put the server ... Since you probably already have run Acrobat as Administrator, ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.win2000.termserv.apps)