Re: 2008 Questions

Nonetheless, the profile *will* be corrupted, unless you make it
read-only ( = mandatory).

I do not know of a method to enforce logon to the TS with a pre-
defined user account, other than in Terminal Services
Configuration. And that will apply to Administrators as well.


_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 29 apr
2008 in microsoft.public.windows.terminal_services:

I'm not worried about the user profile. I have it locked down to
where you click on teh start button and the only thing that
shows is Log Off. I've disabled the right-click feature. Nobody
will be printing. We want the single share user account because
we don't want muliple profiles.

Our users are not tech savvy at all. We want the auto login so
no one gets confused or does anything they shouldn't.

"Vera Noest [MVP]" wrote:

OK, now I understand what you want.
I would strongly advice against using a single shared user
account for multiple users (=persons). You will encounter
corruption of the user profile, irratic changes in settings,
printers, etc. Search this newsgroup for "shared account" and
you'll find a variety of problems caused by such a setup.

And it's not going to give you any advantages either, assuming
that all users already have a personal unique user account in
the domain. You still have to use NTFS permissions and a
restrictive GPO to lock the server down, and that job is no
different when locking down for a single account or all user
accounts in a security group.

Here's a good starting point for locking down a TS:

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/loc
kdo wn.mspx

324036 - HOW TO: Use Software Restriction Policies in Windows
Server 2003
http://support.microsoft.com/?kbid=324036

and then use:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server
2003 http://support.microsoft.com/?kbid=816100

to prevent locking down administrators.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 29
apr 2008 in microsoft.public.windows.terminal_services:

Let me re-phrase. I want my terminal server locked down so
users can't poke around the server, surf the internet, that
kind of thing. There are 3 different applications that they
could run. I want users to auto login using a specific user
name but I want to be able to remote in as myself for
administration.

"Vera Noest [MVP]" wrote:

No. You wrote that you wanted the ".. server locked down so
that only the app can be run".
If your users need to run more than a single application,
you don't define a starting application.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 28
apr 2008 in microsoft.public.windows.terminal_services:

Will this prevent the taskbar from showing? There are
other potential apps the users might be using and we want
them to be able to see the taskbar.

"Vera Noest [MVP]" wrote:

Define the application as the starting application in a
Group Policy, configure loopback processing of the GPO,
and then make sure that Administrators are not affected
by the application, by using security filtering.

User Computer Configuration - Administrative templates -
Windows Components - Terminal Services
"Start a program on connection"

Computer Configuration - Administrative Templates -
System - Group Policy
"User Group Policy loopback processing mode" - "Replace"

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from
Applying to Administrator Accounts and Selected Users in
Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on
28 apr 2008 in
microsoft.public.windows.terminal_services:

I have a couple of questions:

1. I would like to set up an auto login link for
terminal services. I have an app that I want to run but
have the server locked down so that only the app can be
run. I know I can set it up in TS Configuration but it
prevents me from logging in under my own credentials
for admin purposes. Is there another way I can set it
up? I've also tried saving the credentials in the link
but it doesn't stick. I would love to use RemoteApp but
it just isn't feasible at this time.

2. When logging in with the restricted user, the
various 2008 splash screens come up. Is there a way to
eliminate them?
.