Re: limit users to one remote session

OK, now I understand: you have no problem to restrict your users to a
single session only, but you don't want your administrators to be
affected by this, correct?

You can extend your question to any restrictive policy that you
define for your users. We have our users desktop, disks, network
connections, etc restricted as much as possible, and those
restrictions must of course *not* be applied to Administrators.

The way to achieve this is to set a security filtering on your
restrictive GPO, and configure Administrators with "Deny" to the
right to "Apply this policy".

Citrix PS3 comes with its own set of policies, where you can define
the same setting, and choose which users it should apply to. I'm not
sure if this is true for Citrix XP as well.

315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"Hank Arnold" <rasilon@xxxxxxx> wrote on 12 jul 2005:

> Here's the situation.....
>
> We have about a dozen servers, all running Terminal Services in
> Administration Mode, except for two Citrix XPa servers that are
> load balanced (by Citrix). All users connect through the Citrix
> server logons (except for the print server). Only administrators
> log into a server using RDP.
>
> My question related to what impact the posted solution would
> have on our ability to have two simultaneous RDP sessions to a
> server or have RDP sessions to multiple servers.
>
> I'm also interested in how the solution affected our Citrix
> servers, seeing as they run on top of TS. I might be interested
> in an approach that would prevent their logging in multiple
> times as long as it didn't affect the ability of
> administrators....
.

Relevant Pages

  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)
  • RE: Remote Administration on W2K
    ... > Why would you run VNC through Citrix? ... > can monitor/control any connection that is logged into the server ... Not to mention that the Citrix client connection alone is more secure than ... You can restrict vendors the same way, say POSvendor is restricted to POS ...
    (Security-Basics)
  • Re: Server Operator Role
    ... Making someone a servop over a member server is rather involved. ... Anyway you will want to make them admin on the citrix servers, ... that OU that has administrators defined as a restricted group and add your users ...
    (microsoft.public.win2000.active_directory)
  • Re: How to limit who logs into Citrix from a Thin Client?
    ... I checked SecureRDP out at 2X's website. ... It looks really impressive and something I should add to our Citrix ... I wouldn't want to restrict the user from logging on from everywhere, ... remote desktop server capability? ...
    (microsoft.public.windows.terminal_services)
  • RE: Access Denied when running RSoP
    ... The launch and activation security descriptor for the COM Server application ... It contains Access Control Entries with permissions that are ... which is a part of the McAfee Common ... > Administrators - Full Control - This namespace and subnamespaces ...
    (microsoft.public.windows.server.sbs)