Re: terminal server access on a domain controller
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Jun 2007 15:29:37 -0700
And the user accounts are in a separate OU, right?
Have you run "gpupdate /force" on the DC?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 19 jun 2007 in
microsoft.public.windows.terminal_services:
I was too quick in saying that this worked, it's working but now.
when I log this user in to their office desktop, I have the same
restrictions - one of them being that they can't access their
local drives.
"John Bowden" wrote:
thanks for the information. that worked
"Vera Noest [MVP]" wrote:
Disclaimer: I haven't tested this on a DC.
The mechanism to solve this problem is called "loopback
processing" of the GPO.
You'll find it here in your GP editor:
Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - "Replace"
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
Note that using the policy setting to hide the local drives
is just a cosmetic thing. It does *not* provide any security
and it does *not* lock your users out of the local drives.
They will still show up in nearly every programs "Save as.."
or "File Open.." dialog, as well as from a command window.
So be sure that you check your NTFS permissions on the file
system, and whatever you do, do not give these users elevated
user rights.
And besides the CALs, you will need TS CALs as well.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun 2007
in microsoft.public.windows.terminal_services:
I have a site that has purchased one server. We have since
discovered that we need a few of the users to access the
server remotely using RDP through terminal services. Now I
know that it's not a good idea to run terminal services on
a domain controller but for now, it needs to be done until
they can afford another server. The server is running 2003
standard server and has 5 user cals installed.
I would like to set up two users that need remote access to
allow them to use thier computers in the office and when
they are out of the office, they need remote access. I have
set up the GPO for terminal services and it works fine when
they are out but unfortunatly, it locks them out of their
local computer when they are in the office. Things such as
not being able to access their local drive because I've
restricted them from accessing the server local drives are
some of the problems.
I've put the GPO in the domain controller list but the user
settings are what I need to figure out how to enable ONLY
when they log in remotely. I don't know how I can do this.
Can anyone help out?
Thanks
- Follow-Ups:
- Re: terminal server access on a domain controller
- From: John Bowden
- Re: terminal server access on a domain controller
- References:
- Re: terminal server access on a domain controller
- From: Vera Noest [MVP]
- Re: terminal server access on a domain controller
- From: John Bowden
- Re: terminal server access on a domain controller
- From: John Bowden
- Re: terminal server access on a domain controller
- Prev by Date: Re: terminal server access on a domain controller
- Next by Date: Re: terminal server access on a domain controller
- Previous by thread: Re: terminal server access on a domain controller
- Next by thread: Re: terminal server access on a domain controller
- Index(es):
Relevant Pages
|
Loading
