Re: terminal server access on a domain controller

I'm sorry, but I have no experience with this setup, so I'm afraid
I can't be of more help. I'd be extremely cautious, because you
can easily lock down your DC as well.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 19 jun 2007 in
microsoft.public.windows.terminal_services:

I have the following;
mydomain.local
domain controllers
my-server-is-here
local users
users-are-here

yes, I have run gpupdate/force
thanks

"Vera Noest [MVP]" wrote:

And the user accounts are in a separate OU, right?
Have you run "gpupdate /force" on the DC?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 19 jun 2007 in
microsoft.public.windows.terminal_services:

I was too quick in saying that this worked, it's working but
now when I log this user in to their office desktop, I have
the same restrictions - one of them being that they can't
access their local drives.

"John Bowden" wrote:

thanks for the information. that worked

"Vera Noest [MVP]" wrote:

Disclaimer: I haven't tested this on a DC.

The mechanism to solve this problem is called "loopback
processing" of the GPO.
You'll find it here in your GP editor:

Computer Configuration - Administrative Templates - System
- Group Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

Note that using the policy setting to hide the local
drives is just a cosmetic thing. It does *not* provide any
security and it does *not* lock your users out of the
local drives. They will still show up in nearly every
programs "Save as.." or "File Open.." dialog, as well as
from a command window. So be sure that you check your NTFS
permissions on the file system, and whatever you do, do
not give these users elevated user rights.

And besides the CALs, you will need TS CALs as well.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Sm9obiBCb3dkZW4=?=
<JohnBowden@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun
2007 in microsoft.public.windows.terminal_services:

I have a site that has purchased one server. We have
since discovered that we need a few of the users to
access the server remotely using RDP through terminal
services. Now I know that it's not a good idea to run
terminal services on a domain controller but for now, it
needs to be done until they can afford another server.
The server is running 2003 standard server and has 5
user cals installed.

I would like to set up two users that need remote access
to allow them to use thier computers in the office and
when they are out of the office, they need remote
access. I have set up the GPO for terminal services and
it works fine when they are out but unfortunatly, it
locks them out of their local computer when they are in
the office. Things such as not being able to access
their local drive because I've restricted them from
accessing the server local drives are some of the
problems.

I've put the GPO in the domain controller list but the
user settings are what I need to figure out how to
enable ONLY when they log in remotely. I don't know how
I can do this.

Can anyone help out?
Thanks
.

Relevant Pages

  • RE: Re: Remote connections
    ... the TSWeb client is a simple and ActiveX based terminal server ... management remote control programs ...
    (Focus-Microsoft)
  • Re: Witholding Licenses
    ... If the only thing you want is what was called "TS in Remote ... Administration mode" on W2K, ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: adding a terminal server
    ... you will need the applications residing on the terminal server. ... I'm assuming the apps ... be a backstep to run apps and all local users and remote users. ...
    (microsoft.public.windows.terminal_services)
  • Re: Newbie: Access as International solution?
    ... How does one set up a Terminal Server application? ... All copies of Win2K and Win2K3 Server support WTS out of the box. ... They come with two administrative remote logons enabled. ... What is a VPN connection? ...
    (comp.databases.ms-access)
  • Re: Logon to domain via TS server -- how to?
    ... Your last question was the key: I added Authenticated Users to the Remote ... Desktop Users group and that change allowed me to log in to the domain via ... server> Remote desktop users group>is Authenticated Users listed? ... terminal Server, and even less to logon locally to the Domain ...
    (microsoft.public.windows.terminal_services)