Sign in with
Sign up | Sign in
Your question

Windows 2000 TS in a Windows 2003 AD domain

Last response: in Windows 2000/NT
Share
Anonymous
November 1, 2004 1:41:23 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Hello!

I have read a few posts in Google groups regarding having a Windows 2000
member server as a Terminal Server with a Windows 2003 Active Directory
domain controller. All clients to the 2000 TS would be Windows 2000
Professional and XP Professional. As far as I can tell from these posts,
that would work, and the 2000 TS would not require purchasing licenses for
each client, since they are 2000 Pro and XP Pro and are supposed to pull a
license from the built in pool on the 2000 TS. Please correct me if I am
wrong.

One question is, where do I set up the license server: on the 2000 TS or on
the 2003 domain controller? If the 2003 DC has to be the license server,
will it recognize that the TS is on 2000 and does not require purchasing
licenses for the XP Pro clients?

Am I anywhere near the mark here?

Thank you for helping!

Gregg Hill
Anonymous
November 1, 2004 8:58:26 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

You've got it all correct, Gregg!
W2K Pro and XP Pro clients get a free TS CAL, when they connect to
a W2K TS. No additional licenses required.

About the Licensing Server: you cannot install it on the W2K TS,
because that is a member server.
Install it on the 2003 DC. The 2003 LS actually contains the same
pool of built-in W2K licenses as a W2K Licensing Server does, and
it will issue those for free to your clients.

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:

> Hello!
>
> I have read a few posts in Google groups regarding having a
> Windows 2000 member server as a Terminal Server with a Windows
> 2003 Active Directory domain controller. All clients to the 2000
> TS would be Windows 2000 Professional and XP Professional. As
> far as I can tell from these posts, that would work, and the
> 2000 TS would not require purchasing licenses for each client,
> since they are 2000 Pro and XP Pro and are supposed to pull a
> license from the built in pool on the 2000 TS. Please correct me
> if I am wrong.
>
> One question is, where do I set up the license server: on the
> 2000 TS or on the 2003 domain controller? If the 2003 DC has to
> be the license server, will it recognize that the TS is on 2000
> and does not require purchasing licenses for the XP Pro clients?
>
> Am I anywhere near the mark here?
>
> Thank you for helping!
>
> Gregg Hill
Anonymous
November 1, 2004 11:12:35 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Thank you, Vera!

I thought that was the case, but I needed to make sure. Thanks for the help!

Gregg Hill



"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
> You've got it all correct, Gregg!
> W2K Pro and XP Pro clients get a free TS CAL, when they connect to
> a W2K TS. No additional licenses required.
>
> About the Licensing Server: you cannot install it on the W2K TS,
> because that is a member server.
> Install it on the 2003 DC. The 2003 LS actually contains the same
> pool of built-in W2K licenses as a W2K Licensing Server does, and
> it will issue those for free to your clients.
>
> --
> Vera Noest
> MCSE,CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> *----------- Please reply in newsgroup -------------*
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>
>> Hello!
>>
>> I have read a few posts in Google groups regarding having a
>> Windows 2000 member server as a Terminal Server with a Windows
>> 2003 Active Directory domain controller. All clients to the 2000
>> TS would be Windows 2000 Professional and XP Professional. As
>> far as I can tell from these posts, that would work, and the
>> 2000 TS would not require purchasing licenses for each client,
>> since they are 2000 Pro and XP Pro and are supposed to pull a
>> license from the built in pool on the 2000 TS. Please correct me
>> if I am wrong.
>>
>> One question is, where do I set up the license server: on the
>> 2000 TS or on the 2003 domain controller? If the 2003 DC has to
>> be the license server, will it recognize that the TS is on 2000
>> and does not require purchasing licenses for the XP Pro clients?
>>
>> Am I anywhere near the mark here?
>>
>> Thank you for helping!
>>
>> Gregg Hill
Related resources
Anonymous
November 2, 2004 2:55:25 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Vera,

Here are a few articles that I am still trying to understand. Maybe I just
need to get more sleep.

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295
How do I use the 2003 DC to do this setup and make it apply to the 2000 TS?

260370 - How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
If "this OU should not contain users" then how can I restrict Domain Users
but not restrict Domain Admins?

Loopback Processing of Group Policy
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
Where does the loopback get applied? On the DC in a new OU, or on the 2000
TS using a local policy?
It looks as though this step will restrict ALL users, including Domain
Admins. I only want to restrict regular users.

I am going to go to bed!

Thank you for all your help!

Gregg Hill

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
> You've got it all correct, Gregg!
> W2K Pro and XP Pro clients get a free TS CAL, when they connect to
> a W2K TS. No additional licenses required.
>
> About the Licensing Server: you cannot install it on the W2K TS,
> because that is a member server.
> Install it on the 2003 DC. The 2003 LS actually contains the same
> pool of built-in W2K licenses as a W2K Licensing Server does, and
> it will issue those for free to your clients.
>
> --
> Vera Noest
> MCSE,CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> *----------- Please reply in newsgroup -------------*
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>
>> Hello!
>>
>> I have read a few posts in Google groups regarding having a
>> Windows 2000 member server as a Terminal Server with a Windows
>> 2003 Active Directory domain controller. All clients to the 2000
>> TS would be Windows 2000 Professional and XP Professional. As
>> far as I can tell from these posts, that would work, and the
>> 2000 TS would not require purchasing licenses for each client,
>> since they are 2000 Pro and XP Pro and are supposed to pull a
>> license from the built in pool on the 2000 TS. Please correct me
>> if I am wrong.
>>
>> One question is, where do I set up the license server: on the
>> 2000 TS or on the 2003 domain controller? If the 2003 DC has to
>> be the license server, will it recognize that the TS is on 2000
>> and does not require purchasing licenses for the XP Pro clients?
>>
>> Am I anywhere near the mark here?
>>
>> Thank you for helping!
>>
>> Gregg Hill
Anonymous
November 2, 2004 11:03:18 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Gregg,

Hope you've had a good nights sleep! You certainly deserved it
after going through all those articles!

Maybe this helps to clarify:
You apply the loopback setting inside the policy that is linked to
the OU that contains your Terminal Server.

And yes, it would affect all users, but there's a way around that
as well: deny Administrators the right to "Apply this Policy" in
the security settings of the GPO.

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*


"Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:

> Vera,
>
> Here are a few articles that I am still trying to understand.
> Maybe I just need to get more sleep.
>
> 278295 - How to Lock Down a Windows 2000 Terminal Services
> Session http://support.microsoft.com/?kbid=278295
> How do I use the 2003 DC to do this setup and make it apply to
> the 2000 TS?
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers http://support.microsoft.com/?kbid=260370
> If "this OU should not contain users" then how can I restrict
> Domain Users but not restrict Domain Admins?
>
> Loopback Processing of Group Policy
> http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
> Where does the loopback get applied? On the DC in a new OU, or
> on the 2000 TS using a local policy?
> It looks as though this step will restrict ALL users, including
> Domain Admins. I only want to restrict regular users.
>
> I am going to go to bed!
>
> Thank you for all your help!
>
> Gregg Hill
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>> You've got it all correct, Gregg!
>> W2K Pro and XP Pro clients get a free TS CAL, when they connect
>> to a W2K TS. No additional licenses required.
>>
>> About the Licensing Server: you cannot install it on the W2K
>> TS, because that is a member server.
>> Install it on the 2003 DC. The 2003 LS actually contains the
>> same pool of built-in W2K licenses as a W2K Licensing Server
>> does, and it will issue those for free to your clients.
>>
>> --
>> Vera Noest
>> MCSE,CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> *----------- Please reply in newsgroup -------------*
>>
>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>
>>> Hello!
>>>
>>> I have read a few posts in Google groups regarding having a
>>> Windows 2000 member server as a Terminal Server with a Windows
>>> 2003 Active Directory domain controller. All clients to the
>>> 2000 TS would be Windows 2000 Professional and XP
>>> Professional. As far as I can tell from these posts, that
>>> would work, and the 2000 TS would not require purchasing
>>> licenses for each client, since they are 2000 Pro and XP Pro
>>> and are supposed to pull a license from the built in pool on
>>> the 2000 TS. Please correct me if I am wrong.
>>>
>>> One question is, where do I set up the license server: on the
>>> 2000 TS or on the 2003 domain controller? If the 2003 DC has
>>> to be the license server, will it recognize that the TS is on
>>> 2000 and does not require purchasing licenses for the XP Pro
>>> clients?
>>>
>>> Am I anywhere near the mark here?
>>>
>>> Thank you for helping!
>>>
>>> Gregg Hill
Anonymous
November 3, 2004 1:35:16 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Hello, Vera!

Well, I almost had it. I got it where I could log in as the admin and have
the policies applied to restrict everything, then I made the change in the
816100 article you so kindly gave to me and it allowed normal admin rights.
The only thing I cannot seem to get past is the "The local policy of this
system does not allow you to log on interactively" message when I try to log
in as a regular user. I had it at one point, but now it does not work. I
have tried all of the articles you supplied, but I cannot figure out where I
went wrong. Maybe my frustration is blinding me

I made the change noted in
http://support.microsoft.com/default.aspx?scid=kb;en-us;246109 to allow
local logon, but I must not be doing it in the right place.

I wish MS published a step-by-step how-to article! I just finished building
test 2000 and 2003 servers to figure out what I am doing wrong.

Thanks for helping a TS novice, Vera.

Gregg Hill





"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
> Gregg,
>
> Hope you've had a good nights sleep! You certainly deserved it
> after going through all those articles!
>
> Maybe this helps to clarify:
> You apply the loopback setting inside the policy that is linked to
> the OU that contains your Terminal Server.
>
> And yes, it would affect all users, but there's a way around that
> as well: deny Administrators the right to "Apply this Policy" in
> the security settings of the GPO.
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> --
> Vera Noest
> MCSE,CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> *----------- Please reply in newsgroup -------------*
>
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>
>> Vera,
>>
>> Here are a few articles that I am still trying to understand.
>> Maybe I just need to get more sleep.
>>
>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>> Session http://support.microsoft.com/?kbid=278295
>> How do I use the 2003 DC to do this setup and make it apply to
>> the 2000 TS?
>>
>> 260370 - How to Apply Group Policy Objects to Terminal Services
>> Servers http://support.microsoft.com/?kbid=260370
>> If "this OU should not contain users" then how can I restrict
>> Domain Users but not restrict Domain Admins?
>>
>> Loopback Processing of Group Policy
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
>> Where does the loopback get applied? On the DC in a new OU, or
>> on the 2000 TS using a local policy?
>> It looks as though this step will restrict ALL users, including
>> Domain Admins. I only want to restrict regular users.
>>
>> I am going to go to bed!
>>
>> Thank you for all your help!
>>
>> Gregg Hill
>>
>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>> You've got it all correct, Gregg!
>>> W2K Pro and XP Pro clients get a free TS CAL, when they connect
>>> to a W2K TS. No additional licenses required.
>>>
>>> About the Licensing Server: you cannot install it on the W2K
>>> TS, because that is a member server.
>>> Install it on the 2003 DC. The 2003 LS actually contains the
>>> same pool of built-in W2K licenses as a W2K Licensing Server
>>> does, and it will issue those for free to your clients.
>>>
>>> --
>>> Vera Noest
>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>> http://hem.fyristorg.com/vera/IT
>>> *----------- Please reply in newsgroup -------------*
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>
>>>> Hello!
>>>>
>>>> I have read a few posts in Google groups regarding having a
>>>> Windows 2000 member server as a Terminal Server with a Windows
>>>> 2003 Active Directory domain controller. All clients to the
>>>> 2000 TS would be Windows 2000 Professional and XP
>>>> Professional. As far as I can tell from these posts, that
>>>> would work, and the 2000 TS would not require purchasing
>>>> licenses for each client, since they are 2000 Pro and XP Pro
>>>> and are supposed to pull a license from the built in pool on
>>>> the 2000 TS. Please correct me if I am wrong.
>>>>
>>>> One question is, where do I set up the license server: on the
>>>> 2000 TS or on the 2003 domain controller? If the 2003 DC has
>>>> to be the license server, will it recognize that the TS is on
>>>> 2000 and does not require purchasing licenses for the XP Pro
>>>> clients?
>>>>
>>>> Am I anywhere near the mark here?
>>>>
>>>> Thank you for helping!
>>>>
>>>> Gregg Hill
>
Anonymous
November 3, 2004 10:22:34 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

OK, it can be tricky to know in which Security Policy you have to
give users the right to Log On Locally. It depends on your domain
and the role of your Terminal Server in the domain.

If your TS is a standalone server in a Workgroup, modify the Local
Security Policy on the TS itself.

If your TS is a member server in a AD domain, modify the Default
Domain Security Policy.

If your TS is a Domain Controller in a AD domain (this setup is
*not* recommended, but added here for completeness), modify the
Default Domain Controller Security Policy.

Hopes this helps!

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:

> Hello, Vera!
>
> Well, I almost had it. I got it where I could log in as the
> admin and have the policies applied to restrict everything, then
> I made the change in the 816100 article you so kindly gave to me
> and it allowed normal admin rights. The only thing I cannot seem
> to get past is the "The local policy of this system does not
> allow you to log on interactively" message when I try to log in
> as a regular user. I had it at one point, but now it does not
> work. I have tried all of the articles you supplied, but I
> cannot figure out where I went wrong. Maybe my frustration is
> blinding me
>
> I made the change noted in
> http://support.microsoft.com/default.aspx?scid=kb;en-us;246109
> to allow local logon, but I must not be doing it in the right
> place.
>
> I wish MS published a step-by-step how-to article! I just
> finished building test 2000 and 2003 servers to figure out what
> I am doing wrong.
>
> Thanks for helping a TS novice, Vera.
>
> Gregg Hill
>
>
>
>
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>> Gregg,
>>
>> Hope you've had a good nights sleep! You certainly deserved it
>> after going through all those articles!
>>
>> Maybe this helps to clarify:
>> You apply the loopback setting inside the policy that is linked
>> to the OU that contains your Terminal Server.
>>
>> And yes, it would affect all users, but there's a way around
>> that as well: deny Administrators the right to "Apply this
>> Policy" in the security settings of the GPO.
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>>
>> --
>> Vera Noest
>> MCSE,CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> *----------- Please reply in newsgroup -------------*
>>
>>
>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>
>>> Vera,
>>>
>>> Here are a few articles that I am still trying to understand.
>>> Maybe I just need to get more sleep.
>>>
>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>> Session http://support.microsoft.com/?kbid=278295
>>> How do I use the 2003 DC to do this setup and make it apply to
>>> the 2000 TS?
>>>
>>> 260370 - How to Apply Group Policy Objects to Terminal
>>> Services Servers http://support.microsoft.com/?kbid=260370
>>> If "this OU should not contain users" then how can I restrict
>>> Domain Users but not restrict Domain Admins?
>>>
>>> Loopback Processing of Group Policy
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
>>> Where does the loopback get applied? On the DC in a new OU, or
>>> on the 2000 TS using a local policy?
>>> It looks as though this step will restrict ALL users,
>>> including Domain Admins. I only want to restrict regular
>>> users.
>>>
>>> I am going to go to bed!
>>>
>>> Thank you for all your help!
>>>
>>> Gregg Hill
>>>
>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>> wrote in message
>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>> You've got it all correct, Gregg!
>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>> connect to a W2K TS. No additional licenses required.
>>>>
>>>> About the Licensing Server: you cannot install it on the W2K
>>>> TS, because that is a member server.
>>>> Install it on the 2003 DC. The 2003 LS actually contains the
>>>> same pool of built-in W2K licenses as a W2K Licensing Server
>>>> does, and it will issue those for free to your clients.
>>>>
>>>> --
>>>> Vera Noest
>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>> http://hem.fyristorg.com/vera/IT
>>>> *----------- Please reply in newsgroup -------------*
>>>>
>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>
>>>>> Hello!
>>>>>
>>>>> I have read a few posts in Google groups regarding having a
>>>>> Windows 2000 member server as a Terminal Server with a
>>>>> Windows 2003 Active Directory domain controller. All clients
>>>>> to the 2000 TS would be Windows 2000 Professional and XP
>>>>> Professional. As far as I can tell from these posts, that
>>>>> would work, and the 2000 TS would not require purchasing
>>>>> licenses for each client, since they are 2000 Pro and XP Pro
>>>>> and are supposed to pull a license from the built in pool on
>>>>> the 2000 TS. Please correct me if I am wrong.
>>>>>
>>>>> One question is, where do I set up the license server: on
>>>>> the 2000 TS or on the 2003 domain controller? If the 2003 DC
>>>>> has to be the license server, will it recognize that the TS
>>>>> is on 2000 and does not require purchasing licenses for the
>>>>> XP Pro clients?
>>>>>
>>>>> Am I anywhere near the mark here?
>>>>>
>>>>> Thank you for helping!
>>>>>
>>>>> Gregg Hill
Anonymous
November 3, 2004 3:10:11 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Thanks, Vera. The TS is a member server in an AD domain, so I will modify
the Default Domain Security Policy tomorrow or Friday. In the mean time, I
am going to play with my test setup at home. Before I start, for a 2000 TS
member server in an 2003 AD domain, are there ANY settings I will be making
on the 2000 TS itself, or are all settings done on the 2003 DC?

Is there any reason why I **cannot** use my SBS 2003 server as the domain
controller to do the setup with a 2000 TS as a member server for testing? I
am assuming the Default Domain Security Policy is the same from SBS 2003 as
it is in Windows Server 2003. If not, I'll build a full-blown 2003 AD server
to use for testing.

Thanks again...you've been a **REAL BIG** help.

Gregg Hill



"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
> OK, it can be tricky to know in which Security Policy you have to
> give users the right to Log On Locally. It depends on your domain
> and the role of your Terminal Server in the domain.
>
> If your TS is a standalone server in a Workgroup, modify the Local
> Security Policy on the TS itself.
>
> If your TS is a member server in a AD domain, modify the Default
> Domain Security Policy.
>
> If your TS is a Domain Controller in a AD domain (this setup is
> *not* recommended, but added here for completeness), modify the
> Default Domain Controller Security Policy.
>
> Hopes this helps!
>
> --
> Vera Noest
> MCSE,CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> *----------- Please reply in newsgroup -------------*
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>
>> Hello, Vera!
>>
>> Well, I almost had it. I got it where I could log in as the
>> admin and have the policies applied to restrict everything, then
>> I made the change in the 816100 article you so kindly gave to me
>> and it allowed normal admin rights. The only thing I cannot seem
>> to get past is the "The local policy of this system does not
>> allow you to log on interactively" message when I try to log in
>> as a regular user. I had it at one point, but now it does not
>> work. I have tried all of the articles you supplied, but I
>> cannot figure out where I went wrong. Maybe my frustration is
>> blinding me
>>
>> I made the change noted in
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;246109
>> to allow local logon, but I must not be doing it in the right
>> place.
>>
>> I wish MS published a step-by-step how-to article! I just
>> finished building test 2000 and 2003 servers to figure out what
>> I am doing wrong.
>>
>> Thanks for helping a TS novice, Vera.
>>
>> Gregg Hill
>>
>>
>>
>>
>>
>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>> Gregg,
>>>
>>> Hope you've had a good nights sleep! You certainly deserved it
>>> after going through all those articles!
>>>
>>> Maybe this helps to clarify:
>>> You apply the loopback setting inside the policy that is linked
>>> to the OU that contains your Terminal Server.
>>>
>>> And yes, it would affect all users, but there's a way around
>>> that as well: deny Administrators the right to "Apply this
>>> Policy" in the security settings of the GPO.
>>>
>>> 816100 - How To Prevent Domain Group Policies from Applying to
>>> Administrator Accounts and Selected Users in Windows Server
>>> 2003 http://support.microsoft.com/?kbid=816100
>>>
>>> --
>>> Vera Noest
>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>> http://hem.fyristorg.com/vera/IT
>>> *----------- Please reply in newsgroup -------------*
>>>
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>
>>>> Vera,
>>>>
>>>> Here are a few articles that I am still trying to understand.
>>>> Maybe I just need to get more sleep.
>>>>
>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>> Session http://support.microsoft.com/?kbid=278295
>>>> How do I use the 2003 DC to do this setup and make it apply to
>>>> the 2000 TS?
>>>>
>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>> If "this OU should not contain users" then how can I restrict
>>>> Domain Users but not restrict Domain Admins?
>>>>
>>>> Loopback Processing of Group Policy
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;231287
>>>> Where does the loopback get applied? On the DC in a new OU, or
>>>> on the 2000 TS using a local policy?
>>>> It looks as though this step will restrict ALL users,
>>>> including Domain Admins. I only want to restrict regular
>>>> users.
>>>>
>>>> I am going to go to bed!
>>>>
>>>> Thank you for all your help!
>>>>
>>>> Gregg Hill
>>>>
>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>> wrote in message
>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>> You've got it all correct, Gregg!
>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>> connect to a W2K TS. No additional licenses required.
>>>>>
>>>>> About the Licensing Server: you cannot install it on the W2K
>>>>> TS, because that is a member server.
>>>>> Install it on the 2003 DC. The 2003 LS actually contains the
>>>>> same pool of built-in W2K licenses as a W2K Licensing Server
>>>>> does, and it will issue those for free to your clients.
>>>>>
>>>>> --
>>>>> Vera Noest
>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>> http://hem.fyristorg.com/vera/IT
>>>>> *----------- Please reply in newsgroup -------------*
>>>>>
>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> I have read a few posts in Google groups regarding having a
>>>>>> Windows 2000 member server as a Terminal Server with a
>>>>>> Windows 2003 Active Directory domain controller. All clients
>>>>>> to the 2000 TS would be Windows 2000 Professional and XP
>>>>>> Professional. As far as I can tell from these posts, that
>>>>>> would work, and the 2000 TS would not require purchasing
>>>>>> licenses for each client, since they are 2000 Pro and XP Pro
>>>>>> and are supposed to pull a license from the built in pool on
>>>>>> the 2000 TS. Please correct me if I am wrong.
>>>>>>
>>>>>> One question is, where do I set up the license server: on
>>>>>> the 2000 TS or on the 2003 domain controller? If the 2003 DC
>>>>>> has to be the license server, will it recognize that the TS
>>>>>> is on 2000 and does not require purchasing licenses for the
>>>>>> XP Pro clients?
>>>>>>
>>>>>> Am I anywhere near the mark here?
>>>>>>
>>>>>> Thank you for helping!
>>>>>>
>>>>>> Gregg Hill
>
Anonymous
November 3, 2004 5:33:33 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

I assume that with "are all settings done on the 2003 DC?" you
mean that you configure your Group Policy from the 2003 DC. If so,
yes, all configuration should be done there, for 2 reasons:

* If you configure a setting directly on your member server, and
you happen to have a conflicting configuration in your Group
Policy, things get messy. Does the Group Policy allow that
settings are overriden by a local policy? Life is much easier if
you configure all of your settings in a centrally stored and
managed Group Policy.

* The second reason is also management related:
Once your company grows, or applications demand more resources,
you might want to install a second Terminal Server. Duplicating
the exact same settings to the second TS manually will be nearly
impossible. If all settings are defined in a Group Policy, you
simply put the second TS in the same Organisational Unit as the
first and it will automatically inherit all settings.

There is really only one type of exception to this rule: some
settings cannot be configured through a GPO, but must be hardcoded
directly into the registry. Such changes have to be made manually
on each Terminal Server.

I see no reason why you shouldn't use your SBS2003 server as DC in
your tests. I've not much experience with SBS, but I am pretty
sure that policies are the same.

I'm glad to be of help, especially someone who prepares and tests
thoroughly before taking a new service into full production!

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
microsoft.public.windowsnt.terminalserver.setup:

> Thanks, Vera. The TS is a member server in an AD domain, so I
> will modify the Default Domain Security Policy tomorrow or
> Friday. In the mean time, I am going to play with my test setup
> at home. Before I start, for a 2000 TS member server in an 2003
> AD domain, are there ANY settings I will be making on the 2000
> TS itself, or are all settings done on the 2003 DC?
>
> Is there any reason why I **cannot** use my SBS 2003 server as
> the domain controller to do the setup with a 2000 TS as a member
> server for testing? I am assuming the Default Domain Security
> Policy is the same from SBS 2003 as it is in Windows Server
> 2003. If not, I'll build a full-blown 2003 AD server to use for
> testing.
>
> Thanks again...you've been a **REAL BIG** help.
>
> Gregg Hill
>
>
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>> OK, it can be tricky to know in which Security Policy you have
>> to give users the right to Log On Locally. It depends on your
>> domain and the role of your Terminal Server in the domain.
>>
>> If your TS is a standalone server in a Workgroup, modify the
>> Local Security Policy on the TS itself.
>>
>> If your TS is a member server in a AD domain, modify the
>> Default Domain Security Policy.
>>
>> If your TS is a Domain Controller in a AD domain (this setup is
>> *not* recommended, but added here for completeness), modify the
>> Default Domain Controller Security Policy.
>>
>> Hopes this helps!
>>
>> --
>> Vera Noest
>> MCSE,CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> *----------- Please reply in newsgroup -------------*
>>
>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>
>>> Hello, Vera!
>>>
>>> Well, I almost had it. I got it where I could log in as the
>>> admin and have the policies applied to restrict everything,
>>> then I made the change in the 816100 article you so kindly
>>> gave to me and it allowed normal admin rights. The only thing
>>> I cannot seem to get past is the "The local policy of this
>>> system does not allow you to log on interactively" message
>>> when I try to log in as a regular user. I had it at one point,
>>> but now it does not work. I have tried all of the articles you
>>> supplied, but I cannot figure out where I went wrong. Maybe my
>>> frustration is blinding me
>>>
>>> I made the change noted in
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;246109
>>> to allow local logon, but I must not be doing it in the right
>>> place.
>>>
>>> I wish MS published a step-by-step how-to article! I just
>>> finished building test 2000 and 2003 servers to figure out
>>> what I am doing wrong.
>>>
>>> Thanks for helping a TS novice, Vera.
>>>
>>> Gregg Hill
>>>
>>>
>>>
>>>
>>>
>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>> wrote in message
>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>> Gregg,
>>>>
>>>> Hope you've had a good nights sleep! You certainly deserved
>>>> it after going through all those articles!
>>>>
>>>> Maybe this helps to clarify:
>>>> You apply the loopback setting inside the policy that is
>>>> linked to the OU that contains your Terminal Server.
>>>>
>>>> And yes, it would affect all users, but there's a way around
>>>> that as well: deny Administrators the right to "Apply this
>>>> Policy" in the security settings of the GPO.
>>>>
>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>> to Administrator Accounts and Selected Users in Windows
>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>
>>>> --
>>>> Vera Noest
>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>> http://hem.fyristorg.com/vera/IT
>>>> *----------- Please reply in newsgroup -------------*
>>>>
>>>>
>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>
>>>>> Vera,
>>>>>
>>>>> Here are a few articles that I am still trying to
>>>>> understand. Maybe I just need to get more sleep.
>>>>>
>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>> Session http://support.microsoft.com/?kbid=278295
>>>>> How do I use the 2003 DC to do this setup and make it apply
>>>>> to the 2000 TS?
>>>>>
>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>>> If "this OU should not contain users" then how can I
>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>
>>>>> Loopback Processing of Group Policy
>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;23128
>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>> OU, or on the 2000 TS using a local policy?
>>>>> It looks as though this step will restrict ALL users,
>>>>> including Domain Admins. I only want to restrict regular
>>>>> users.
>>>>>
>>>>> I am going to go to bed!
>>>>>
>>>>> Thank you for all your help!
>>>>>
>>>>> Gregg Hill
>>>>>
>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>> wrote in message
>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>> You've got it all correct, Gregg!
>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>
>>>>>> About the Licensing Server: you cannot install it on the
>>>>>> W2K TS, because that is a member server.
>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>> Server does, and it will issue those for free to your
>>>>>> clients.
>>>>>>
>>>>>> --
>>>>>> Vera Noest
>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>
>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>
>>>>>>> Hello!
>>>>>>>
>>>>>>> I have read a few posts in Google groups regarding having
>>>>>>> a Windows 2000 member server as a Terminal Server with a
>>>>>>> Windows 2003 Active Directory domain controller. All
>>>>>>> clients to the 2000 TS would be Windows 2000 Professional
>>>>>>> and XP Professional. As far as I can tell from these
>>>>>>> posts, that would work, and the 2000 TS would not require
>>>>>>> purchasing licenses for each client, since they are 2000
>>>>>>> Pro and XP Pro and are supposed to pull a license from the
>>>>>>> built in pool on the 2000 TS. Please correct me if I am
>>>>>>> wrong.
>>>>>>>
>>>>>>> One question is, where do I set up the license server: on
>>>>>>> the 2000 TS or on the 2003 domain controller? If the 2003
>>>>>>> DC has to be the license server, will it recognize that
>>>>>>> the TS is on 2000 and does not require purchasing licenses
>>>>>>> for the XP Pro clients?
>>>>>>>
>>>>>>> Am I anywhere near the mark here?
>>>>>>>
>>>>>>> Thank you for helping!
>>>>>>>
>>>>>>> Gregg Hill
Anonymous
November 6, 2004 6:27:40 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Hello, Vera!

I got my test setup running (SBS 2003 DC, 2000 TS member server, XP Pro SP2
client)) and almost everything works as it should.

One thing I cannot understand is that when I put an icon on the All Users
desktop, a normal user does not see it when they log into the TS. Admin
users do see the icon. I am working on it, though!

Gregg Hill


"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns9596EFA7DF323veranoesthemutforsse@207.46.248.16...
>I assume that with "are all settings done on the 2003 DC?" you
> mean that you configure your Group Policy from the 2003 DC. If so,
> yes, all configuration should be done there, for 2 reasons:
>
> * If you configure a setting directly on your member server, and
> you happen to have a conflicting configuration in your Group
> Policy, things get messy. Does the Group Policy allow that
> settings are overriden by a local policy? Life is much easier if
> you configure all of your settings in a centrally stored and
> managed Group Policy.
>
> * The second reason is also management related:
> Once your company grows, or applications demand more resources,
> you might want to install a second Terminal Server. Duplicating
> the exact same settings to the second TS manually will be nearly
> impossible. If all settings are defined in a Group Policy, you
> simply put the second TS in the same Organisational Unit as the
> first and it will automatically inherit all settings.
>
> There is really only one type of exception to this rule: some
> settings cannot be configured through a GPO, but must be hardcoded
> directly into the registry. Such changes have to be made manually
> on each Terminal Server.
>
> I see no reason why you shouldn't use your SBS2003 server as DC in
> your tests. I've not much experience with SBS, but I am pretty
> sure that policies are the same.
>
> I'm glad to be of help, especially someone who prepares and tests
> thoroughly before taking a new service into full production!
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Thanks, Vera. The TS is a member server in an AD domain, so I
>> will modify the Default Domain Security Policy tomorrow or
>> Friday. In the mean time, I am going to play with my test setup
>> at home. Before I start, for a 2000 TS member server in an 2003
>> AD domain, are there ANY settings I will be making on the 2000
>> TS itself, or are all settings done on the 2003 DC?
>>
>> Is there any reason why I **cannot** use my SBS 2003 server as
>> the domain controller to do the setup with a 2000 TS as a member
>> server for testing? I am assuming the Default Domain Security
>> Policy is the same from SBS 2003 as it is in Windows Server
>> 2003. If not, I'll build a full-blown 2003 AD server to use for
>> testing.
>>
>> Thanks again...you've been a **REAL BIG** help.
>>
>> Gregg Hill
>>
>>
>>
>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>>> OK, it can be tricky to know in which Security Policy you have
>>> to give users the right to Log On Locally. It depends on your
>>> domain and the role of your Terminal Server in the domain.
>>>
>>> If your TS is a standalone server in a Workgroup, modify the
>>> Local Security Policy on the TS itself.
>>>
>>> If your TS is a member server in a AD domain, modify the
>>> Default Domain Security Policy.
>>>
>>> If your TS is a Domain Controller in a AD domain (this setup is
>>> *not* recommended, but added here for completeness), modify the
>>> Default Domain Controller Security Policy.
>>>
>>> Hopes this helps!
>>>
>>> --
>>> Vera Noest
>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>> http://hem.fyristorg.com/vera/IT
>>> *----------- Please reply in newsgroup -------------*
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>>
>>>> Hello, Vera!
>>>>
>>>> Well, I almost had it. I got it where I could log in as the
>>>> admin and have the policies applied to restrict everything,
>>>> then I made the change in the 816100 article you so kindly
>>>> gave to me and it allowed normal admin rights. The only thing
>>>> I cannot seem to get past is the "The local policy of this
>>>> system does not allow you to log on interactively" message
>>>> when I try to log in as a regular user. I had it at one point,
>>>> but now it does not work. I have tried all of the articles you
>>>> supplied, but I cannot figure out where I went wrong. Maybe my
>>>> frustration is blinding me
>>>>
>>>> I made the change noted in
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;246109
>>>> to allow local logon, but I must not be doing it in the right
>>>> place.
>>>>
>>>> I wish MS published a step-by-step how-to article! I just
>>>> finished building test 2000 and 2003 servers to figure out
>>>> what I am doing wrong.
>>>>
>>>> Thanks for helping a TS novice, Vera.
>>>>
>>>> Gregg Hill
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>> wrote in message
>>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>>> Gregg,
>>>>>
>>>>> Hope you've had a good nights sleep! You certainly deserved
>>>>> it after going through all those articles!
>>>>>
>>>>> Maybe this helps to clarify:
>>>>> You apply the loopback setting inside the policy that is
>>>>> linked to the OU that contains your Terminal Server.
>>>>>
>>>>> And yes, it would affect all users, but there's a way around
>>>>> that as well: deny Administrators the right to "Apply this
>>>>> Policy" in the security settings of the GPO.
>>>>>
>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>> to Administrator Accounts and Selected Users in Windows
>>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>>
>>>>> --
>>>>> Vera Noest
>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>> http://hem.fyristorg.com/vera/IT
>>>>> *----------- Please reply in newsgroup -------------*
>>>>>
>>>>>
>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>>
>>>>>> Vera,
>>>>>>
>>>>>> Here are a few articles that I am still trying to
>>>>>> understand. Maybe I just need to get more sleep.
>>>>>>
>>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>>> Session http://support.microsoft.com/?kbid=278295
>>>>>> How do I use the 2003 DC to do this setup and make it apply
>>>>>> to the 2000 TS?
>>>>>>
>>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>>>> If "this OU should not contain users" then how can I
>>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>>
>>>>>> Loopback Processing of Group Policy
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;23128
>>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>>> OU, or on the 2000 TS using a local policy?
>>>>>> It looks as though this step will restrict ALL users,
>>>>>> including Domain Admins. I only want to restrict regular
>>>>>> users.
>>>>>>
>>>>>> I am going to go to bed!
>>>>>>
>>>>>> Thank you for all your help!
>>>>>>
>>>>>> Gregg Hill
>>>>>>
>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>> wrote in message
>>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>>> You've got it all correct, Gregg!
>>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>>
>>>>>>> About the Licensing Server: you cannot install it on the
>>>>>>> W2K TS, because that is a member server.
>>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>>> Server does, and it will issue those for free to your
>>>>>>> clients.
>>>>>>>
>>>>>>> --
>>>>>>> Vera Noest
>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>
>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>>
>>>>>>>> Hello!
>>>>>>>>
>>>>>>>> I have read a few posts in Google groups regarding having
>>>>>>>> a Windows 2000 member server as a Terminal Server with a
>>>>>>>> Windows 2003 Active Directory domain controller. All
>>>>>>>> clients to the 2000 TS would be Windows 2000 Professional
>>>>>>>> and XP Professional. As far as I can tell from these
>>>>>>>> posts, that would work, and the 2000 TS would not require
>>>>>>>> purchasing licenses for each client, since they are 2000
>>>>>>>> Pro and XP Pro and are supposed to pull a license from the
>>>>>>>> built in pool on the 2000 TS. Please correct me if I am
>>>>>>>> wrong.
>>>>>>>>
>>>>>>>> One question is, where do I set up the license server: on
>>>>>>>> the 2000 TS or on the 2003 domain controller? If the 2003
>>>>>>>> DC has to be the license server, will it recognize that
>>>>>>>> the TS is on 2000 and does not require purchasing licenses
>>>>>>>> for the XP Pro clients?
>>>>>>>>
>>>>>>>> Am I anywhere near the mark here?
>>>>>>>>
>>>>>>>> Thank you for helping!
>>>>>>>>
>>>>>>>> Gregg Hill
Anonymous
November 7, 2004 6:22:18 AM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Mmm, strange. A couple of things that you can check:

* if they don't see the icon at all, check the icon location. Is
it really located in the All Users Desktop folder?
* if it *is* located in the All Users desktop folder, but users
still don't see it, maybe you have been experimenting with Folder
redirection? And used a GPO to redirect the users desktop folder
to a custom folder?
* if they see the icon, but as a generic icon, and can't use it,
then it is located in the All Users Desktop folder, but has
incorrect permissions. That happens easily when you move an icon
as Administrator, because moving something within the same disk
doesn't change the ownership or the permissions.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

"Gregg Hill" <bogus@nowhere.com> wrote on 07 nov 2004 in
microsoft.public.windowsnt.terminalserver.setup:

> Hello, Vera!
>
> I got my test setup running (SBS 2003 DC, 2000 TS member server,
> XP Pro SP2 client)) and almost everything works as it should.
>
> One thing I cannot understand is that when I put an icon on the
> All Users desktop, a normal user does not see it when they log
> into the TS. Admin users do see the icon. I am working on it,
> though!
>
> Gregg Hill
>
>
> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9596EFA7DF323veranoesthemutforsse@207.46.248.16...
>>I assume that with "are all settings done on the 2003 DC?" you
>> mean that you configure your Group Policy from the 2003 DC. If
>> so, yes, all configuration should be done there, for 2 reasons:
>>
>> * If you configure a setting directly on your member server,
>> and you happen to have a conflicting configuration in your
>> Group Policy, things get messy. Does the Group Policy allow
>> that settings are overriden by a local policy? Life is much
>> easier if you configure all of your settings in a centrally
>> stored and managed Group Policy.
>>
>> * The second reason is also management related:
>> Once your company grows, or applications demand more resources,
>> you might want to install a second Terminal Server. Duplicating
>> the exact same settings to the second TS manually will be
>> nearly impossible. If all settings are defined in a Group
>> Policy, you simply put the second TS in the same Organisational
>> Unit as the first and it will automatically inherit all
>> settings.
>>
>> There is really only one type of exception to this rule: some
>> settings cannot be configured through a GPO, but must be
>> hardcoded directly into the registry. Such changes have to be
>> made manually on each Terminal Server.
>>
>> I see no reason why you shouldn't use your SBS2003 server as DC
>> in your tests. I've not much experience with SBS, but I am
>> pretty sure that policies are the same.
>>
>> I'm glad to be of help, especially someone who prepares and
>> tests thoroughly before taking a new service into full
>> production!
>>
>> --
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> http://hem.fyristorg.com/vera/IT
>> --- please respond in newsgroup, NOT by private email ---
>>
>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
>> microsoft.public.windowsnt.terminalserver.setup:
>>
>>> Thanks, Vera. The TS is a member server in an AD domain, so I
>>> will modify the Default Domain Security Policy tomorrow or
>>> Friday. In the mean time, I am going to play with my test
>>> setup at home. Before I start, for a 2000 TS member server in
>>> an 2003 AD domain, are there ANY settings I will be making on
>>> the 2000 TS itself, or are all settings done on the 2003 DC?
>>>
>>> Is there any reason why I **cannot** use my SBS 2003 server as
>>> the domain controller to do the setup with a 2000 TS as a
>>> member server for testing? I am assuming the Default Domain
>>> Security Policy is the same from SBS 2003 as it is in Windows
>>> Server 2003. If not, I'll build a full-blown 2003 AD server to
>>> use for testing.
>>>
>>> Thanks again...you've been a **REAL BIG** help.
>>>
>>> Gregg Hill
>>>
>>>
>>>
>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>> wrote in message
>>> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>>>> OK, it can be tricky to know in which Security Policy you
>>>> have to give users the right to Log On Locally. It depends on
>>>> your domain and the role of your Terminal Server in the
>>>> domain.
>>>>
>>>> If your TS is a standalone server in a Workgroup, modify the
>>>> Local Security Policy on the TS itself.
>>>>
>>>> If your TS is a member server in a AD domain, modify the
>>>> Default Domain Security Policy.
>>>>
>>>> If your TS is a Domain Controller in a AD domain (this setup
>>>> is *not* recommended, but added here for completeness),
>>>> modify the Default Domain Controller Security Policy.
>>>>
>>>> Hopes this helps!
>>>>
>>>> --
>>>> Vera Noest
>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>> http://hem.fyristorg.com/vera/IT
>>>> *----------- Please reply in newsgroup -------------*
>>>>
>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>>>
>>>>> Hello, Vera!
>>>>>
>>>>> Well, I almost had it. I got it where I could log in as the
>>>>> admin and have the policies applied to restrict everything,
>>>>> then I made the change in the 816100 article you so kindly
>>>>> gave to me and it allowed normal admin rights. The only
>>>>> thing I cannot seem to get past is the "The local policy of
>>>>> this system does not allow you to log on interactively"
>>>>> message when I try to log in as a regular user. I had it at
>>>>> one point, but now it does not work. I have tried all of the
>>>>> articles you supplied, but I cannot figure out where I went
>>>>> wrong. Maybe my frustration is blinding me
>>>>>
>>>>> I made the change noted in
>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
us;24610
>>>>> 9 to allow local logon, but I must not be doing it in the
>>>>> right place.
>>>>>
>>>>> I wish MS published a step-by-step how-to article! I just
>>>>> finished building test 2000 and 2003 servers to figure out
>>>>> what I am doing wrong.
>>>>>
>>>>> Thanks for helping a TS novice, Vera.
>>>>>
>>>>> Gregg Hill
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>> wrote in message
>>>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>>>> Gregg,
>>>>>>
>>>>>> Hope you've had a good nights sleep! You certainly deserved
>>>>>> it after going through all those articles!
>>>>>>
>>>>>> Maybe this helps to clarify:
>>>>>> You apply the loopback setting inside the policy that is
>>>>>> linked to the OU that contains your Terminal Server.
>>>>>>
>>>>>> And yes, it would affect all users, but there's a way
>>>>>> around that as well: deny Administrators the right to
>>>>>> "Apply this Policy" in the security settings of the GPO.
>>>>>>
>>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>>> to Administrator Accounts and Selected Users in Windows
>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>>>
>>>>>> --
>>>>>> Vera Noest
>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>
>>>>>>
>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>>>
>>>>>>> Vera,
>>>>>>>
>>>>>>> Here are a few articles that I am still trying to
>>>>>>> understand. Maybe I just need to get more sleep.
>>>>>>>
>>>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>>>> Session http://support.microsoft.com/?kbid=278295
>>>>>>> How do I use the 2003 DC to do this setup and make it
>>>>>>> apply to the 2000 TS?
>>>>>>>
>>>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>>>>> If "this OU should not contain users" then how can I
>>>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>>>
>>>>>>> Loopback Processing of Group Policy
>>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
>> us;23128
>>>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>>>> OU, or on the 2000 TS using a local policy?
>>>>>>> It looks as though this step will restrict ALL users,
>>>>>>> including Domain Admins. I only want to restrict regular
>>>>>>> users.
>>>>>>>
>>>>>>> I am going to go to bed!
>>>>>>>
>>>>>>> Thank you for all your help!
>>>>>>>
>>>>>>> Gregg Hill
>>>>>>>
>>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>>> wrote in message
>>>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>>>> You've got it all correct, Gregg!
>>>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>>>
>>>>>>>> About the Licensing Server: you cannot install it on the
>>>>>>>> W2K TS, because that is a member server.
>>>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>>>> Server does, and it will issue those for free to your
>>>>>>>> clients.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Vera Noest
>>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>>
>>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>>>
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>> I have read a few posts in Google groups regarding
>>>>>>>>> having a Windows 2000 member server as a Terminal Server
>>>>>>>>> with a Windows 2003 Active Directory domain controller.
>>>>>>>>> All clients to the 2000 TS would be Windows 2000
>>>>>>>>> Professional and XP Professional. As far as I can tell
>>>>>>>>> from these posts, that would work, and the 2000 TS would
>>>>>>>>> not require purchasing licenses for each client, since
>>>>>>>>> they are 2000 Pro and XP Pro and are supposed to pull a
>>>>>>>>> license from the built in pool on the 2000 TS. Please
>>>>>>>>> correct me if I am wrong.
>>>>>>>>>
>>>>>>>>> One question is, where do I set up the license server:
>>>>>>>>> on the 2000 TS or on the 2003 domain controller? If the
>>>>>>>>> 2003 DC has to be the license server, will it recognize
>>>>>>>>> that the TS is on 2000 and does not require purchasing
>>>>>>>>> licenses for the XP Pro clients?
>>>>>>>>>
>>>>>>>>> Am I anywhere near the mark here?
>>>>>>>>>
>>>>>>>>> Thank you for helping!
>>>>>>>>>
>>>>>>>>> Gregg Hill
Anonymous
November 7, 2004 1:06:31 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Vera,

Answers are inline.


"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns959A7DDB0F381veranoesthemutforsse@207.46.248.16...
> Mmm, strange. A couple of things that you can check:
>
> * if they don't see the icon at all, check the icon location. Is
> it really located in the All Users Desktop folder?

Yes. I just double-checked. If a regular user logs in, they do not see it.
If the Administrator or even any admin user logs in, they do see it.


> * if it *is* located in the All Users desktop folder, but users
> still don't see it, maybe you have been experimenting with Folder
> redirection? And used a GPO to redirect the users desktop folder
> to a custom folder?

I had not set up folder redirection nor used a GPO to redirect. I could not
figure out how to do it, so I left it alone, being sure tohit Cancel to get
out so that nothing would get applied.



> * if they see the icon, but as a generic icon, and can't use it,
> then it is located in the All Users Desktop folder, but has
> incorrect permissions. That happens easily when you move an icon
> as Administrator, because moving something within the same disk
> doesn't change the ownership or the permissions.
>

They cannot see the icon at all. Could it be caused by having the "Prevent
access to drives from My Computer" item enabled?



In addition to the articles you suggested, I am now looking at
http://www.microsoft.com/windowsserver2003/techinfo/ove...
which is basically the same information, but with more detail as to what
each setting does. It almost looks as if I need to enable folder redirection
if I have the "Prevent access to drives from My Computer" item enabled.

This stuff is getting very confusing. I am going to experiment by removing
one restriction at a time until I get my icon back. I will let you know what
I find.

I shall return!

Gregg Hill



> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 07 nov 2004 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Hello, Vera!
>>
>> I got my test setup running (SBS 2003 DC, 2000 TS member server,
>> XP Pro SP2 client)) and almost everything works as it should.
>>
>> One thing I cannot understand is that when I put an icon on the
>> All Users desktop, a normal user does not see it when they log
>> into the TS. Admin users do see the icon. I am working on it,
>> though!
>>
>> Gregg Hill
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9596EFA7DF323veranoesthemutforsse@207.46.248.16...
>>>I assume that with "are all settings done on the 2003 DC?" you
>>> mean that you configure your Group Policy from the 2003 DC. If
>>> so, yes, all configuration should be done there, for 2 reasons:
>>>
>>> * If you configure a setting directly on your member server,
>>> and you happen to have a conflicting configuration in your
>>> Group Policy, things get messy. Does the Group Policy allow
>>> that settings are overriden by a local policy? Life is much
>>> easier if you configure all of your settings in a centrally
>>> stored and managed Group Policy.
>>>
>>> * The second reason is also management related:
>>> Once your company grows, or applications demand more resources,
>>> you might want to install a second Terminal Server. Duplicating
>>> the exact same settings to the second TS manually will be
>>> nearly impossible. If all settings are defined in a Group
>>> Policy, you simply put the second TS in the same Organisational
>>> Unit as the first and it will automatically inherit all
>>> settings.
>>>
>>> There is really only one type of exception to this rule: some
>>> settings cannot be configured through a GPO, but must be
>>> hardcoded directly into the registry. Such changes have to be
>>> made manually on each Terminal Server.
>>>
>>> I see no reason why you shouldn't use your SBS2003 server as DC
>>> in your tests. I've not much experience with SBS, but I am
>>> pretty sure that policies are the same.
>>>
>>> I'm glad to be of help, especially someone who prepares and
>>> tests thoroughly before taking a new service into full
>>> production!
>>>
>>> --
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> http://hem.fyristorg.com/vera/IT
>>> --- please respond in newsgroup, NOT by private email ---
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
>>> microsoft.public.windowsnt.terminalserver.setup:
>>>
>>>> Thanks, Vera. The TS is a member server in an AD domain, so I
>>>> will modify the Default Domain Security Policy tomorrow or
>>>> Friday. In the mean time, I am going to play with my test
>>>> setup at home. Before I start, for a 2000 TS member server in
>>>> an 2003 AD domain, are there ANY settings I will be making on
>>>> the 2000 TS itself, or are all settings done on the 2003 DC?
>>>>
>>>> Is there any reason why I **cannot** use my SBS 2003 server as
>>>> the domain controller to do the setup with a 2000 TS as a
>>>> member server for testing? I am assuming the Default Domain
>>>> Security Policy is the same from SBS 2003 as it is in Windows
>>>> Server 2003. If not, I'll build a full-blown 2003 AD server to
>>>> use for testing.
>>>>
>>>> Thanks again...you've been a **REAL BIG** help.
>>>>
>>>> Gregg Hill
>>>>
>>>>
>>>>
>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>> wrote in message
>>>> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>>>>> OK, it can be tricky to know in which Security Policy you
>>>>> have to give users the right to Log On Locally. It depends on
>>>>> your domain and the role of your Terminal Server in the
>>>>> domain.
>>>>>
>>>>> If your TS is a standalone server in a Workgroup, modify the
>>>>> Local Security Policy on the TS itself.
>>>>>
>>>>> If your TS is a member server in a AD domain, modify the
>>>>> Default Domain Security Policy.
>>>>>
>>>>> If your TS is a Domain Controller in a AD domain (this setup
>>>>> is *not* recommended, but added here for completeness),
>>>>> modify the Default Domain Controller Security Policy.
>>>>>
>>>>> Hopes this helps!
>>>>>
>>>>> --
>>>>> Vera Noest
>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>> http://hem.fyristorg.com/vera/IT
>>>>> *----------- Please reply in newsgroup -------------*
>>>>>
>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>>>>
>>>>>> Hello, Vera!
>>>>>>
>>>>>> Well, I almost had it. I got it where I could log in as the
>>>>>> admin and have the policies applied to restrict everything,
>>>>>> then I made the change in the 816100 article you so kindly
>>>>>> gave to me and it allowed normal admin rights. The only
>>>>>> thing I cannot seem to get past is the "The local policy of
>>>>>> this system does not allow you to log on interactively"
>>>>>> message when I try to log in as a regular user. I had it at
>>>>>> one point, but now it does not work. I have tried all of the
>>>>>> articles you supplied, but I cannot figure out where I went
>>>>>> wrong. Maybe my frustration is blinding me
>>>>>>
>>>>>> I made the change noted in
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;24610
>>>>>> 9 to allow local logon, but I must not be doing it in the
>>>>>> right place.
>>>>>>
>>>>>> I wish MS published a step-by-step how-to article! I just
>>>>>> finished building test 2000 and 2003 servers to figure out
>>>>>> what I am doing wrong.
>>>>>>
>>>>>> Thanks for helping a TS novice, Vera.
>>>>>>
>>>>>> Gregg Hill
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>> wrote in message
>>>>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>>>>> Gregg,
>>>>>>>
>>>>>>> Hope you've had a good nights sleep! You certainly deserved
>>>>>>> it after going through all those articles!
>>>>>>>
>>>>>>> Maybe this helps to clarify:
>>>>>>> You apply the loopback setting inside the policy that is
>>>>>>> linked to the OU that contains your Terminal Server.
>>>>>>>
>>>>>>> And yes, it would affect all users, but there's a way
>>>>>>> around that as well: deny Administrators the right to
>>>>>>> "Apply this Policy" in the security settings of the GPO.
>>>>>>>
>>>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>>>> to Administrator Accounts and Selected Users in Windows
>>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>>>>
>>>>>>> --
>>>>>>> Vera Noest
>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>
>>>>>>>
>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>>>>
>>>>>>>> Vera,
>>>>>>>>
>>>>>>>> Here are a few articles that I am still trying to
>>>>>>>> understand. Maybe I just need to get more sleep.
>>>>>>>>
>>>>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>>>>> Session http://support.microsoft.com/?kbid=278295
>>>>>>>> How do I use the 2003 DC to do this setup and make it
>>>>>>>> apply to the 2000 TS?
>>>>>>>>
>>>>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>>>>>> If "this OU should not contain users" then how can I
>>>>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>>>>
>>>>>>>> Loopback Processing of Group Policy
>>>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
>>> us;23128
>>>>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>>>>> OU, or on the 2000 TS using a local policy?
>>>>>>>> It looks as though this step will restrict ALL users,
>>>>>>>> including Domain Admins. I only want to restrict regular
>>>>>>>> users.
>>>>>>>>
>>>>>>>> I am going to go to bed!
>>>>>>>>
>>>>>>>> Thank you for all your help!
>>>>>>>>
>>>>>>>> Gregg Hill
>>>>>>>>
>>>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>>>> wrote in message
>>>>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>>>>> You've got it all correct, Gregg!
>>>>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>>>>
>>>>>>>>> About the Licensing Server: you cannot install it on the
>>>>>>>>> W2K TS, because that is a member server.
>>>>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>>>>> Server does, and it will issue those for free to your
>>>>>>>>> clients.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Vera Noest
>>>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>>>
>>>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>>>>
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> I have read a few posts in Google groups regarding
>>>>>>>>>> having a Windows 2000 member server as a Terminal Server
>>>>>>>>>> with a Windows 2003 Active Directory domain controller.
>>>>>>>>>> All clients to the 2000 TS would be Windows 2000
>>>>>>>>>> Professional and XP Professional. As far as I can tell
>>>>>>>>>> from these posts, that would work, and the 2000 TS would
>>>>>>>>>> not require purchasing licenses for each client, since
>>>>>>>>>> they are 2000 Pro and XP Pro and are supposed to pull a
>>>>>>>>>> license from the built in pool on the 2000 TS. Please
>>>>>>>>>> correct me if I am wrong.
>>>>>>>>>>
>>>>>>>>>> One question is, where do I set up the license server:
>>>>>>>>>> on the 2000 TS or on the 2003 domain controller? If the
>>>>>>>>>> 2003 DC has to be the license server, will it recognize
>>>>>>>>>> that the TS is on 2000 and does not require purchasing
>>>>>>>>>> licenses for the XP Pro clients?
>>>>>>>>>>
>>>>>>>>>> Am I anywhere near the mark here?
>>>>>>>>>>
>>>>>>>>>> Thank you for helping!
>>>>>>>>>>
>>>>>>>>>> Gregg Hill
Anonymous
November 8, 2004 2:34:43 PM

Archived from groups: microsoft.public.windowsnt.terminalserver.setup (More info?)

Apparently, GPs are getting applied differently than the MS documentation
suggests. I started all over again by deleting the GPs and OUs I had created
by following the articles mentioned previously. I opened AD Users and
Computers, created a new OU in the domain and named it "Terminal Server." I
moved the actual terminal server from the Computers group to the new
Terminal Server OU. I added a GP under the Terminal Server OU and named it
Terminal Server Policy. In that Terminal Server Policy, I made my first and
only change, just to test things.

According to the "Locking Down Windows Server 2003 Terminal Server Sessions
document
http://www.microsoft.com/windowsserver2003/techinfo/ove...
on page 4, third bullet point, I enabled "Interactive logon: Do not display
last user name." After doing this step, when I log onto either of my XP Pro
computers, not the Terminal Server, just the workstations, the user name is
not displayed. Why does this policy get applied when the only thing in the
Terminal Server OU is the actual terminal server?



"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns959A7DDB0F381veranoesthemutforsse@207.46.248.16...
> Mmm, strange. A couple of things that you can check:
>
> * if they don't see the icon at all, check the icon location. Is
> it really located in the All Users Desktop folder?
> * if it *is* located in the All Users desktop folder, but users
> still don't see it, maybe you have been experimenting with Folder
> redirection? And used a GPO to redirect the users desktop folder
> to a custom folder?
> * if they see the icon, but as a generic icon, and can't use it,
> then it is located in the All Users Desktop folder, but has
> incorrect permissions. That happens easily when you move an icon
> as Administrator, because moving something within the same disk
> doesn't change the ownership or the permissions.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 07 nov 2004 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Hello, Vera!
>>
>> I got my test setup running (SBS 2003 DC, 2000 TS member server,
>> XP Pro SP2 client)) and almost everything works as it should.
>>
>> One thing I cannot understand is that when I put an icon on the
>> All Users desktop, a normal user does not see it when they log
>> into the TS. Admin users do see the icon. I am working on it,
>> though!
>>
>> Gregg Hill
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9596EFA7DF323veranoesthemutforsse@207.46.248.16...
>>>I assume that with "are all settings done on the 2003 DC?" you
>>> mean that you configure your Group Policy from the 2003 DC. If
>>> so, yes, all configuration should be done there, for 2 reasons:
>>>
>>> * If you configure a setting directly on your member server,
>>> and you happen to have a conflicting configuration in your
>>> Group Policy, things get messy. Does the Group Policy allow
>>> that settings are overriden by a local policy? Life is much
>>> easier if you configure all of your settings in a centrally
>>> stored and managed Group Policy.
>>>
>>> * The second reason is also management related:
>>> Once your company grows, or applications demand more resources,
>>> you might want to install a second Terminal Server. Duplicating
>>> the exact same settings to the second TS manually will be
>>> nearly impossible. If all settings are defined in a Group
>>> Policy, you simply put the second TS in the same Organisational
>>> Unit as the first and it will automatically inherit all
>>> settings.
>>>
>>> There is really only one type of exception to this rule: some
>>> settings cannot be configured through a GPO, but must be
>>> hardcoded directly into the registry. Such changes have to be
>>> made manually on each Terminal Server.
>>>
>>> I see no reason why you shouldn't use your SBS2003 server as DC
>>> in your tests. I've not much experience with SBS, but I am
>>> pretty sure that policies are the same.
>>>
>>> I'm glad to be of help, especially someone who prepares and
>>> tests thoroughly before taking a new service into full
>>> production!
>>>
>>> --
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> http://hem.fyristorg.com/vera/IT
>>> --- please respond in newsgroup, NOT by private email ---
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
>>> microsoft.public.windowsnt.terminalserver.setup:
>>>
>>>> Thanks, Vera. The TS is a member server in an AD domain, so I
>>>> will modify the Default Domain Security Policy tomorrow or
>>>> Friday. In the mean time, I am going to play with my test
>>>> setup at home. Before I start, for a 2000 TS member server in
>>>> an 2003 AD domain, are there ANY settings I will be making on
>>>> the 2000 TS itself, or are all settings done on the 2003 DC?
>>>>
>>>> Is there any reason why I **cannot** use my SBS 2003 server as
>>>> the domain controller to do the setup with a 2000 TS as a
>>>> member server for testing? I am assuming the Default Domain
>>>> Security Policy is the same from SBS 2003 as it is in Windows
>>>> Server 2003. If not, I'll build a full-blown 2003 AD server to
>>>> use for testing.
>>>>
>>>> Thanks again...you've been a **REAL BIG** help.
>>>>
>>>> Gregg Hill
>>>>
>>>>
>>>>
>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>> wrote in message
>>>> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>>>>> OK, it can be tricky to know in which Security Policy you
>>>>> have to give users the right to Log On Locally. It depends on
>>>>> your domain and the role of your Terminal Server in the
>>>>> domain.
>>>>>
>>>>> If your TS is a standalone server in a Workgroup, modify the
>>>>> Local Security Policy on the TS itself.
>>>>>
>>>>> If your TS is a member server in a AD domain, modify the
>>>>> Default Domain Security Policy.
>>>>>
>>>>> If your TS is a Domain Controller in a AD domain (this setup
>>>>> is *not* recommended, but added here for completeness),
>>>>> modify the Default Domain Controller Security Policy.
>>>>>
>>>>> Hopes this helps!
>>>>>
>>>>> --
>>>>> Vera Noest
>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>> http://hem.fyristorg.com/vera/IT
>>>>> *----------- Please reply in newsgroup -------------*
>>>>>
>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>>>>
>>>>>> Hello, Vera!
>>>>>>
>>>>>> Well, I almost had it. I got it where I could log in as the
>>>>>> admin and have the policies applied to restrict everything,
>>>>>> then I made the change in the 816100 article you so kindly
>>>>>> gave to me and it allowed normal admin rights. The only
>>>>>> thing I cannot seem to get past is the "The local policy of
>>>>>> this system does not allow you to log on interactively"
>>>>>> message when I try to log in as a regular user. I had it at
>>>>>> one point, but now it does not work. I have tried all of the
>>>>>> articles you supplied, but I cannot figure out where I went
>>>>>> wrong. Maybe my frustration is blinding me
>>>>>>
>>>>>> I made the change noted in
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;24610
>>>>>> 9 to allow local logon, but I must not be doing it in the
>>>>>> right place.
>>>>>>
>>>>>> I wish MS published a step-by-step how-to article! I just
>>>>>> finished building test 2000 and 2003 servers to figure out
>>>>>> what I am doing wrong.
>>>>>>
>>>>>> Thanks for helping a TS novice, Vera.
>>>>>>
>>>>>> Gregg Hill
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>> wrote in message
>>>>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>>>>> Gregg,
>>>>>>>
>>>>>>> Hope you've had a good nights sleep! You certainly deserved
>>>>>>> it after going through all those articles!
>>>>>>>
>>>>>>> Maybe this helps to clarify:
>>>>>>> You apply the loopback setting inside the policy that is
>>>>>>> linked to the OU that contains your Terminal Server.
>>>>>>>
>>>>>>> And yes, it would affect all users, but there's a way
>>>>>>> around that as well: deny Administrators the right to
>>>>>>> "Apply this Policy" in the security settings of the GPO.
>>>>>>>
>>>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>>>> to Administrator Accounts and Selected Users in Windows
>>>>>>> Server 2003 http://support.microsoft.com/?kbid=816100
>>>>>>>
>>>>>>> --
>>>>>>> Vera Noest
>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>
>>>>>>>
>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>>>>
>>>>>>>> Vera,
>>>>>>>>
>>>>>>>> Here are a few articles that I am still trying to
>>>>>>>> understand. Maybe I just need to get more sleep.
>>>>>>>>
>>>>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>>>>> Session http://support.microsoft.com/?kbid=278295
>>>>>>>> How do I use the 2003 DC to do this setup and make it
>>>>>>>> apply to the 2000 TS?
>>>>>>>>
>>>>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>>>>> Services Servers http://support.microsoft.com/?kbid=260370
>>>>>>>> If "this OU should not contain users" then how can I
>>>>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>>>>
>>>>>>>> Loopback Processing of Group Policy
>>>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
>>> us;23128
>>>>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>>>>> OU, or on the 2000 TS using a local policy?
>>>>>>>> It looks as though this step will restrict ALL users,
>>>>>>>> including Domain Admins. I only want to restrict regular
>>>>>>>> users.
>>>>>>>>
>>>>>>>> I am going to go to bed!
>>>>>>>>
>>>>>>>> Thank you for all your help!
>>>>>>>>
>>>>>>>> Gregg Hill
>>>>>>>>
>>>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>>>> wrote in message
>>>>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>>>>> You've got it all correct, Gregg!
>>>>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>>>>
>>>>>>>>> About the Licensing Server: you cannot install it on the
>>>>>>>>> W2K TS, because that is a member server.
>>>>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>>>>> Server does, and it will issue those for free to your
>>>>>>>>> clients.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Vera Noest
>>>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>>>> http://hem.fyristorg.com/vera/IT
>>>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>>>
>>>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>>>>
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> I have read a few posts in Google groups regarding
>>>>>>>>>> having a Windows 2000 member server as a Terminal Server
>>>>>>>>>> with a Windows 2003 Active Directory domain controller.
>>>>>>>>>> All clients to the 2000 TS would be Windows 2000
>>>>>>>>>> Professional and XP Professional. As far as I can tell
>>>>>>>>>> from these posts, that would work, and the 2000 TS would
>>>>>>>>>> not require purchasing licenses for each client, since
>>>>>>>>>> they are 2000 Pro and XP Pro and are supposed to pull a
>>>>>>>>>> license from the built in pool on the 2000 TS. Please
>>>>>>>>>> correct me if I am wrong.
>>>>>>>>>>
>>>>>>>>>> One question is, where do I set up the license server:
>>>>>>>>>> on the 2000 TS or on the 2003 domain controller? If the
>>>>>>>>>> 2003 DC has to be the license server, will it recognize
>>>>>>>>>> that the TS is on 2000 and does not require purchasing
>>>>>>>>>> licenses for the XP Pro clients?
>>>>>>>>>>
>>>>>>>>>> Am I anywhere near the mark here?
>>>>>>>>>>
>>>>>>>>>> Thank you for helping!
>>>>>>>>>>
>>>>>>>>>> Gregg Hill
!