Re: terminal server access on a domain controller

I have the following;
mydomain.local
domain controllers
my-server-is-here
local users
users-are-here

yes, I have run gpupdate/force
thanks

"Vera Noest [MVP]" wrote:

And the user accounts are in a separate OU, right?
Have you run "gpupdate /force" on the DC?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 19 jun 2007 in
microsoft.public.windows.terminal_services:

I was too quick in saying that this worked, it's working but now
when I log this user in to their office desktop, I have the same
restrictions - one of them being that they can't access their
local drives.

"John Bowden" wrote:

thanks for the information. that worked

"Vera Noest [MVP]" wrote:

Disclaimer: I haven't tested this on a DC.

The mechanism to solve this problem is called "loopback
processing" of the GPO.
You'll find it here in your GP editor:

Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

Note that using the policy setting to hide the local drives
is just a cosmetic thing. It does *not* provide any security
and it does *not* lock your users out of the local drives.
They will still show up in nearly every programs "Save as.."
or "File Open.." dialog, as well as from a command window.
So be sure that you check your NTFS permissions on the file
system, and whatever you do, do not give these users elevated
user rights.

And besides the CALs, you will need TS CALs as well.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun 2007
in microsoft.public.windows.terminal_services:

I have a site that has purchased one server. We have since
discovered that we need a few of the users to access the
server remotely using RDP through terminal services. Now I
know that it's not a good idea to run terminal services on
a domain controller but for now, it needs to be done until
they can afford another server. The server is running 2003
standard server and has 5 user cals installed.

I would like to set up two users that need remote access to
allow them to use thier computers in the office and when
they are out of the office, they need remote access. I have
set up the GPO for terminal services and it works fine when
they are out but unfortunatly, it locks them out of their
local computer when they are in the office. Things such as
not being able to access their local drive because I've
restricted them from accessing the server local drives are
some of the problems.

I've put the GPO in the domain controller list but the user
settings are what I need to figure out how to enable ONLY
when they log in remotely. I don't know how I can do this.

Can anyone help out?
Thanks

.

Relevant Pages

  • Re: terminal server access on a domain controller
    ... Note that using the policy setting to hide the local drives is just ... MCSE, CCEA, Microsoft MVP - Terminal Server ... remotely using RDP through terminal services. ... I would like to set up two users that need remote access to ...
    (microsoft.public.windows.terminal_services)
  • RE: Restrict access to the server for Terminal Services users
    ... and make that one your Terminal Server and then lock it down ... As a reference read the guide I wrote, "Terminal Services from A to Z" ... These folders are restricted access shares on the domain, ... when someone logs on via Terminal Services and navigates to the local drives ...
    (microsoft.public.windows.terminal_services)
  • Cannot see license server
    ... We have our domain controller set up as Terminal Services license server. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 SP1 Transition Pack
    ... TS on a domain controller is a security risk and is stupid. ... This is an insane recommendation when you can set up a member server and do TS access the right way. ... will be able to run terminal services in application mode and support ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Help - Logging on "interactively"
    ... I cannot make the server allow anyone other ... > Everyone and other to the Allow Local Log on policy and with the Deny ... Comment/question -since this is a domain controller, ... Terminal Services should be run on a dedicated member server only. ...
    (microsoft.public.win2000.setup)
Loading