Re: 2008 Questions

OK, now I understand what you want.
I would strongly advice against using a single shared user account
for multiple users (=persons). You will encounter corruption of the
user profile, irratic changes in settings, printers, etc. Search
this newsgroup for "shared account" and you'll find a variety of
problems caused by such a setup.

And it's not going to give you any advantages either, assuming that
all users already have a personal unique user account in the
domain. You still have to use NTFS permissions and a restrictive
GPO to lock the server down, and that job is no different when
locking down for a single account or all user accounts in a
security group.

Here's a good starting point for locking down a TS:

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdo
wn.mspx

324036 - HOW TO: Use Software Restriction Policies in Windows
Server 2003
http://support.microsoft.com/?kbid=324036

and then use:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

to prevent locking down administrators.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 29 apr
2008 in microsoft.public.windows.terminal_services:

Let me re-phrase. I want my terminal server locked down so users
can't poke around the server, surf the internet, that kind of
thing. There are 3 different applications that they could run. I
want users to auto login using a specific user name but I want
to be able to remote in as myself for administration.

"Vera Noest [MVP]" wrote:

No. You wrote that you wanted the ".. server locked down so
that only the app can be run".
If your users need to run more than a single application, you
don't define a starting application.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 28
apr 2008 in microsoft.public.windows.terminal_services:

Will this prevent the taskbar from showing? There are other
potential apps the users might be using and we want them to
be able to see the taskbar.

"Vera Noest [MVP]" wrote:

Define the application as the starting application in a
Group Policy, configure loopback processing of the GPO, and
then make sure that Administrators are not affected by the
application, by using security filtering.

User Computer Configuration - Administrative templates -
Windows Components - Terminal Services
"Start a program on connection"

Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying
to Administrator Accounts and Selected Users in Windows
Server 2003 http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 28
apr 2008 in microsoft.public.windows.terminal_services:

I have a couple of questions:

1. I would like to set up an auto login link for terminal
services. I have an app that I want to run but have the
server locked down so that only the app can be run. I know
I can set it up in TS Configuration but it prevents me
from logging in under my own credentials for admin
purposes. Is there another way I can set it up? I've also
tried saving the credentials in the link but it doesn't
stick. I would love to use RemoteApp but it just isn't
feasible at this time.

2. When logging in with the restricted user, the various
2008 splash screens come up. Is there a way to eliminate
them?
.

Relevant Pages

  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... you have risen to an Administrator this would be a given. ... server and run all LOB apps on these. ... If there are no encrypted files, just reset the DSRM account ...
    (microsoft.public.windows.server.sbs)
  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... Teneo> Interesting post and Im now gonna be a party pooper... ... connections) before cutting power to the server and to the Internet ... If there are no encrypted files, just reset the DSRM account ... and try old domain Administrator account's passwords. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote desktop: cannot copy files why still not working
    ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ...
    (microsoft.public.windows.server.security)
  • Re: Remote desktop: cannot copy files why still not working
    ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ...
    (microsoft.public.windows.server.security)
  • Re: Shared Fax device not available anymore after reboot server!?!
    ... the error message one by one to the Newsgroup for accurate research. ... You can send fax by using Administrator account. ... after the reboot of the server no account is able to fax anaymore. ...
    (microsoft.public.windows.server.sbs)
Loading