Re: Locking down TS on Domain Controller...

Tech-Archive recommends: Fix windows errors by optimizing your registry

If you delete the "Authenticated Users" group, then you *must* add
the computer account of the server, as well as your preferred user
group. As it is now, the GPO is not applied to the server at all.
Has nothing to do with it being a DC.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Cary Shultz" <cwshultz@xxxxxxxx> wrote on 09 jul 2006 in
microsoft.public.windows.terminal_services:

Good morning!

Okay. I know that this is not suggested. I know that it is not
recommended. I am aware of the security risks. I know that
there are several people who will kill me when they read this.
The environments that I manage are all very small and have a
limited budget for 'computer stuff'.

I have a client (very small) that has a 64-bit Domain Controller
(Windows Server 2003 x64 running on a Dell PowerEdge 800). They
have a remote office and they want to use Terminal Services so
that those five users in the remote office can access vital
information. Pretty much nothing else is of interest to them.

So, I would like to lock down the Terminal Server experience for
those five users. Just as a point of interest, I have done this
several times in a WIN2000 environment and once in a WIN2003
environment (following the usual MS KB Articles and Patrick
Rouse's suggestions on the File System - all works very very
well). The *MAJOR* difference was that in each case the TS was
a member server, not a Domain Controller.

I should mention that I am playing in the lab right now. The
only difference between the lab and the production environment
is that I am sitting on a 32-bit Server right now. I will not
be able to use the GPMC when it comes time to do this on the
production server as the GPMC does not run on 64-bit Servers....

Everything (minus the TS Lockdown GPO) is working. So, there
are no other issues (well, none that I can see). I have a WINXP
Pro SP2 client and I log on to that using the user account
object of one of the five TS Users and then use RDP to connect
to the Terminal Server. Everything is good (again, minus the
lockdown GPO).

Here is what I have done:

Follow MS KB278295 (create the GPO, link it to the Domain
Controllers OU - I know, I know, use gpupdate /force and then
log on as one of the users. None of the settings set by the 'TS
Lockdown' GPO take place). I have done this, as I already
mentioned, in production environments several times as well as
in the lab hundreds of times. When I run RSOP.MSC on the Domain
Controller and change the focus (from Administrator to TSUser1)
I do not see any of the settings set in the 'TS Lockdown'.

Oh, one more point - on the SECURITY tab of the GPO I removed
Authenticated Users and 1) replaced it with a security group
that I created (which contains the user account objects) -
nothing, 2) replaced that security group with 'Remote Desktop
Users' (just to see if that had any effect) - nothing, and 3)
removed the group and replaced it with each individual user
account object - nothing! After each of the mentioned changes I
used gpupdate /force and, when nothing happened, I rebooted the
Domain Controller (again, in the lab right now). Still nothing.

There is nothing in the event logs to indicate the GPO failed
for such and such a reason. This is a bit odd!

I guess that because this is a Domain Controller I am getting
stupid!

Does anyone have any suggestions?

Thanks all,
.

Relevant Pages

  • Re: How many Global Catalog Servers are needed?
    ... Whatever DC is configured to be the PDC is used by the GPO editor as the GPO master. ... Author of O'Reilly Active Directory Third Edition ... Once this server goes down, users aren't get there Group Policies. ... You may cancel this operation for this session or retry using one of the following Domain Controller choices. ...
    (microsoft.public.win2000.active_directory)
  • Re: Number of GC servers
    ... Are you using the Restricted Groups GPO?? ... That might give you an indication as to why labserver works on one server ... DNS is handled by corporate servers. ... If I logon to cmpq02,cmpq04, as "labserver" (a generic account, that is ...
    (microsoft.public.windows.server.active_directory)
  • Re: How many Global Catalog Servers are needed?
    ... my first DC is the GPO Master. ... I would like another server to hold ... Author of O'Reilly Active Directory Third Edition ... "The Domain Controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • Re: I hate IIS - "Server Application Unavailable" error message
    ... this is on a Win2003 Server. ... complaints or warnings installing IIS for me. ... as the SYSTEM account on a domain controller, although I would encrypt the section. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Unable To Add DC
    ... I have reloaded it with 2003 server again and given ... I have gone into active directory users and computers then ... it still had the old domain controller in there, ... account SERVERNAME$ to a domain controller ...
    (microsoft.public.windows.server.active_directory)