RE: TS User Lockdown
From: Patrick Rouse [MVP] (PatrickRouseMVP_at_discussions.microsoft.com)
Date: 10/25/04
- Next message: Patrick Rouse [MVP]: "RE: Users Prompted to unlock TS screen after idle."
- Previous message: efrylink: "We are needing to deploy a flat bed scanner."
- In reply to: Graham: "RE: TS User Lockdown"
- Next in thread: Graham: "RE: TS User Lockdown"
- Reply: Graham: "RE: TS User Lockdown"
- Reply: Vera Noest [MVP]: "RE: TS User Lockdown"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 25 Oct 2004 11:43:06 -0700
I think in the case of a DC you may be SOL.
I'd check in a Group Policy or Active Directory forum with one of their
experts to see what can be done, as I wouldn't advise making changes to your
default domain controllers GPO that could cause unintended affects.
This is one of the reasons why it's not recommended to run an application
server on a DC.
Perhaps Vera will see this and double-check my math.
Sorry I don't have a concrete answer for you on this matter, but I just
don't do many deployments of Terminal Server or Citrix on Domain Controllers.
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com
"Graham" wrote:
> Hi Patrick,
>
> Thank you very much for the response. I followed your instructions and the
> GPO does not apply to the user.
>
> When running the Group Policy Results it lists the GPO under "Denied GPO"
> and reason Access Denied (Security Filtering). I have listed Domain Users and
> Terminal Server Computers under the security tab. What should be listed under
> the Group "Terminal Server Computers" are these the actual TS Servers or
> Computers connecting to the TS server?
>
> Just one addition. This TS is a DC as well.
>
> Any suggestions?
>
> Cheers,
> Graham
>
> "Patrick Rouse [MVP]" wrote:
>
> > This is what you need to do:
> >
> > 1. Create an OU called Terminal Servers (or whatever name you choose)
> > 2. Move the Terminal Server(s) into this OU.
> > 3. Link this OU to your GPO, or create a new one.
> > 4. Enable loopback policy processing in the GPO with the Replace Option.
> > 5. On the security for the GPO set Apply Policy to "Authenticated Users" or
> > "Domain Users" plus the Terminal Server Computer accounts, then set Deny
> > Apply Policy to your admin accounts or groups.
> > 6. Do NOT move user accounts into this OU.
> >
> >
> > This will apply the GPO only when users logon to a terminal server in this
> > OU, and will NOT apply to the people you listed in Deny Apply Policy.
> >
> >
> > "Graham" wrote:
> >
> > > I am in the process of rolling out a 2003 TS and would like to lock down the
> > > desktop and several settings using GPO. I would obviously like to prevent
> > > this from happening to the Admin account though.
> > >
> > > Can anybody please offer some assistance? Additionally, in the security tab
> > > for the GPO do I input the list of users to be using the TS and the actual
> > > Machine name i.e. this is the tab that where you state which users and/or
> > > computer the GPO applies too.
> > >
> > > Thanks everyone.
> > >
> > > Cheers,
> > > Graham
- Next message: Patrick Rouse [MVP]: "RE: Users Prompted to unlock TS screen after idle."
- Previous message: efrylink: "We are needing to deploy a flat bed scanner."
- In reply to: Graham: "RE: TS User Lockdown"
- Next in thread: Graham: "RE: TS User Lockdown"
- Reply: Graham: "RE: TS User Lockdown"
- Reply: Vera Noest [MVP]: "RE: TS User Lockdown"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
