Re: terminal server access on a domain controller

Disclaimer: I haven't tested this on a DC.

The mechanism to solve this problem is called "loopback
processing" of the GPO.
You'll find it here in your GP editor:

Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

Note that using the policy setting to hide the local drives is just
a cosmetic thing. It does *not* provide any security and it does
*not* lock your users out of the local drives. They will still show
up in nearly every programs "Save as.." or "File Open.." dialog, as
well as from a command window.
So be sure that you check your NTFS permissions on the file system,
and whatever you do, do not give these users elevated user rights.

And besides the CALs, you will need TS CALs as well.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun 2007 in
microsoft.public.windows.terminal_services:

I have a site that has purchased one server. We have since
discovered that we need a few of the users to access the server
remotely using RDP through terminal services. Now I know that
it's not a good idea to run terminal services on a domain
controller but for now, it needs to be done until they can
afford another server. The server is running 2003 standard
server and has 5 user cals installed.

I would like to set up two users that need remote access to
allow them to use thier computers in the office and when they
are out of the office, they need remote access. I have set up
the GPO for terminal services and it works fine when they are
out but unfortunatly, it locks them out of their local computer
when they are in the office. Things such as not being able to
access their local drive because I've restricted them from
accessing the server local drives are some of the problems.

I've put the GPO in the domain controller list but the user
settings are what I need to figure out how to enable ONLY when
they log in remotely. I don't know how I can do this.

Can anyone help out?
Thanks
.

Relevant Pages

  • Re: terminal server access on a domain controller
    ... Note that using the policy setting to hide the local drives is just ... MCSE, CCEA, Microsoft MVP - Terminal Server ... remotely using RDP through terminal services. ... I would like to set up two users that need remote access to ...
    (microsoft.public.windows.terminal_services)
  • Re: terminal server access on a domain controller
    ... processing" of the GPO. ... 231287 - Loopback Processing of Group Policy ... Note that using the policy setting to hide the local drives is just ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • TS, GPO, diffent users
    ... Set up a server for Remote Desktop access. ... Created OU for server and linked GPO with loopback on it. ... Users can still jack around with the local drives from the application's ...
    (microsoft.public.windows.terminal_services)
  • Re: terminal server access on a domain controller
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Note that using the policy setting to hide the local drives ... I would like to set up two users that need remote access to ...
    (microsoft.public.windows.terminal_services)
  • Automatic Updates options are greyed out, SBS 2003 and WSUS
    ... The SBS server is the DC ... GPO: Default Domain Policy ... Computer Setting: 50 ... GPO: Default Domain Controllers Policy ...
    (microsoft.public.windows.server.sbs)