Archived from groups: microsoft.public.windowsnt.terminalserver.setup (
More info?)
Apparently, GPs are getting applied differently than the MS documentation
suggests. I started all over again by deleting the GPs and OUs I had created
by following the articles mentioned previously. I opened AD Users and
Computers, created a new OU in the domain and named it "Terminal Server." I
moved the actual terminal server from the Computers group to the new
Terminal Server OU. I added a GP under the Terminal Server OU and named it
Terminal Server Policy. In that Terminal Server Policy, I made my first and
only change, just to test things.
According to the "Locking Down Windows Server 2003 Terminal Server Sessions
document
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
on page 4, third bullet point, I enabled "Interactive logon: Do not display
last user name." After doing this step, when I log onto either of my XP Pro
computers, not the Terminal Server, just the workstations, the user name is
not displayed. Why does this policy get applied when the only thing in the
Terminal Server OU is the actual terminal server?
"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message
news:Xns959A7DDB0F381veranoesthemutforsse@207.46.248.16...
> Mmm, strange. A couple of things that you can check:
>
> * if they don't see the icon at all, check the icon location. Is
> it really located in the All Users Desktop folder?
> * if it *is* located in the All Users desktop folder, but users
> still don't see it, maybe you have been experimenting with Folder
> redirection? And used a GPO to redirect the users desktop folder
> to a custom folder?
> * if they see the icon, but as a generic icon, and can't use it,
> then it is located in the All Users Desktop folder, but has
> incorrect permissions. That happens easily when you move an icon
> as Administrator, because moving something within the same disk
> doesn't change the ownership or the permissions.
>
> --
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
>
http://hem.fyristorg.com/vera/IT
> --- please respond in newsgroup, NOT by private email ---
>
> "Gregg Hill" <bogus@nowhere.com> wrote on 07 nov 2004 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Hello, Vera!
>>
>> I got my test setup running (SBS 2003 DC, 2000 TS member server,
>> XP Pro SP2 client)) and almost everything works as it should.
>>
>> One thing I cannot understand is that when I put an icon on the
>> All Users desktop, a normal user does not see it when they log
>> into the TS. Admin users do see the icon. I am working on it,
>> though!
>>
>> Gregg Hill
>>
>>
>> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote
>> in message
>> news:Xns9596EFA7DF323veranoesthemutforsse@207.46.248.16...
>>>I assume that with "are all settings done on the 2003 DC?" you
>>> mean that you configure your Group Policy from the 2003 DC. If
>>> so, yes, all configuration should be done there, for 2 reasons:
>>>
>>> * If you configure a setting directly on your member server,
>>> and you happen to have a conflicting configuration in your
>>> Group Policy, things get messy. Does the Group Policy allow
>>> that settings are overriden by a local policy? Life is much
>>> easier if you configure all of your settings in a centrally
>>> stored and managed Group Policy.
>>>
>>> * The second reason is also management related:
>>> Once your company grows, or applications demand more resources,
>>> you might want to install a second Terminal Server. Duplicating
>>> the exact same settings to the second TS manually will be
>>> nearly impossible. If all settings are defined in a Group
>>> Policy, you simply put the second TS in the same Organisational
>>> Unit as the first and it will automatically inherit all
>>> settings.
>>>
>>> There is really only one type of exception to this rule: some
>>> settings cannot be configured through a GPO, but must be
>>> hardcoded directly into the registry. Such changes have to be
>>> made manually on each Terminal Server.
>>>
>>> I see no reason why you shouldn't use your SBS2003 server as DC
>>> in your tests. I've not much experience with SBS, but I am
>>> pretty sure that policies are the same.
>>>
>>> I'm glad to be of help, especially someone who prepares and
>>> tests thoroughly before taking a new service into full
>>> production!
>>>
>>> --
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>
http://hem.fyristorg.com/vera/IT
>>> --- please respond in newsgroup, NOT by private email ---
>>>
>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004 in
>>> microsoft.public.windowsnt.terminalserver.setup:
>>>
>>>> Thanks, Vera. The TS is a member server in an AD domain, so I
>>>> will modify the Default Domain Security Policy tomorrow or
>>>> Friday. In the mean time, I am going to play with my test
>>>> setup at home. Before I start, for a 2000 TS member server in
>>>> an 2003 AD domain, are there ANY settings I will be making on
>>>> the 2000 TS itself, or are all settings done on the 2003 DC?
>>>>
>>>> Is there any reason why I **cannot** use my SBS 2003 server as
>>>> the domain controller to do the setup with a 2000 TS as a
>>>> member server for testing? I am assuming the Default Domain
>>>> Security Policy is the same from SBS 2003 as it is in Windows
>>>> Server 2003. If not, I'll build a full-blown 2003 AD server to
>>>> use for testing.
>>>>
>>>> Thanks again...you've been a **REAL BIG** help.
>>>>
>>>> Gregg Hill
>>>>
>>>>
>>>>
>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>> wrote in message
>>>> news:Xns9596A6961F949veranoesthemutforsse@207.46.248.16...
>>>>> OK, it can be tricky to know in which Security Policy you
>>>>> have to give users the right to Log On Locally. It depends on
>>>>> your domain and the role of your Terminal Server in the
>>>>> domain.
>>>>>
>>>>> If your TS is a standalone server in a Workgroup, modify the
>>>>> Local Security Policy on the TS itself.
>>>>>
>>>>> If your TS is a member server in a AD domain, modify the
>>>>> Default Domain Security Policy.
>>>>>
>>>>> If your TS is a Domain Controller in a AD domain (this setup
>>>>> is *not* recommended, but added here for completeness),
>>>>> modify the Default Domain Controller Security Policy.
>>>>>
>>>>> Hopes this helps!
>>>>>
>>>>> --
>>>>> Vera Noest
>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>
http://hem.fyristorg.com/vera/IT
>>>>> *----------- Please reply in newsgroup -------------*
>>>>>
>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 03 nov 2004:
>>>>>
>>>>>> Hello, Vera!
>>>>>>
>>>>>> Well, I almost had it. I got it where I could log in as the
>>>>>> admin and have the policies applied to restrict everything,
>>>>>> then I made the change in the 816100 article you so kindly
>>>>>> gave to me and it allowed normal admin rights. The only
>>>>>> thing I cannot seem to get past is the "The local policy of
>>>>>> this system does not allow you to log on interactively"
>>>>>> message when I try to log in as a regular user. I had it at
>>>>>> one point, but now it does not work. I have tried all of the
>>>>>> articles you supplied, but I cannot figure out where I went
>>>>>> wrong. Maybe my frustration is blinding me
>>>>>>
>>>>>> I made the change noted in
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
> us;24610
>>>>>> 9 to allow local logon, but I must not be doing it in the
>>>>>> right place.
>>>>>>
>>>>>> I wish MS published a step-by-step how-to article! I just
>>>>>> finished building test 2000 and 2003 servers to figure out
>>>>>> what I am doing wrong.
>>>>>>
>>>>>> Thanks for helping a TS novice, Vera.
>>>>>>
>>>>>> Gregg Hill
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>> wrote in message
>>>>>> news:Xns9595AD7E1D52Everanoesthemutforsse@207.46.248.16...
>>>>>>> Gregg,
>>>>>>>
>>>>>>> Hope you've had a good nights sleep! You certainly deserved
>>>>>>> it after going through all those articles!
>>>>>>>
>>>>>>> Maybe this helps to clarify:
>>>>>>> You apply the loopback setting inside the policy that is
>>>>>>> linked to the OU that contains your Terminal Server.
>>>>>>>
>>>>>>> And yes, it would affect all users, but there's a way
>>>>>>> around that as well: deny Administrators the right to
>>>>>>> "Apply this Policy" in the security settings of the GPO.
>>>>>>>
>>>>>>> 816100 - How To Prevent Domain Group Policies from Applying
>>>>>>> to Administrator Accounts and Selected Users in Windows
>>>>>>> Server 2003
http://support.microsoft.com/?kbid=816100
>>>>>>>
>>>>>>> --
>>>>>>> Vera Noest
>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>>
http://hem.fyristorg.com/vera/IT
>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>
>>>>>>>
>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 02 nov 2004:
>>>>>>>
>>>>>>>> Vera,
>>>>>>>>
>>>>>>>> Here are a few articles that I am still trying to
>>>>>>>> understand. Maybe I just need to get more sleep.
>>>>>>>>
>>>>>>>> 278295 - How to Lock Down a Windows 2000 Terminal Services
>>>>>>>> Session
http://support.microsoft.com/?kbid=278295
>>>>>>>> How do I use the 2003 DC to do this setup and make it
>>>>>>>> apply to the 2000 TS?
>>>>>>>>
>>>>>>>> 260370 - How to Apply Group Policy Objects to Terminal
>>>>>>>> Services Servers
http://support.microsoft.com/?kbid=260370
>>>>>>>> If "this OU should not contain users" then how can I
>>>>>>>> restrict Domain Users but not restrict Domain Admins?
>>>>>>>>
>>>>>>>> Loopback Processing of Group Policy
>>>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-
>>> us;23128
>>>>>>>> 7 Where does the loopback get applied? On the DC in a new
>>>>>>>> OU, or on the 2000 TS using a local policy?
>>>>>>>> It looks as though this step will restrict ALL users,
>>>>>>>> including Domain Admins. I only want to restrict regular
>>>>>>>> users.
>>>>>>>>
>>>>>>>> I am going to go to bed!
>>>>>>>>
>>>>>>>> Thank you for all your help!
>>>>>>>>
>>>>>>>> Gregg Hill
>>>>>>>>
>>>>>>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se>
>>>>>>>> wrote in message
>>>>>>>> news:Xns95949852CF7CFveranoesthemutforsse@207.46.248.16...
>>>>>>>>> You've got it all correct, Gregg!
>>>>>>>>> W2K Pro and XP Pro clients get a free TS CAL, when they
>>>>>>>>> connect to a W2K TS. No additional licenses required.
>>>>>>>>>
>>>>>>>>> About the Licensing Server: you cannot install it on the
>>>>>>>>> W2K TS, because that is a member server.
>>>>>>>>> Install it on the 2003 DC. The 2003 LS actually contains
>>>>>>>>> the same pool of built-in W2K licenses as a W2K Licensing
>>>>>>>>> Server does, and it will issue those for free to your
>>>>>>>>> clients.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Vera Noest
>>>>>>>>> MCSE,CCEA, Microsoft MVP - Terminal Server
>>>>>>>>>
http://hem.fyristorg.com/vera/IT
>>>>>>>>> *----------- Please reply in newsgroup -------------*
>>>>>>>>>
>>>>>>>>> "Gregg Hill" <bogus@nowhere.com> wrote on 01 nov 2004:
>>>>>>>>>
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> I have read a few posts in Google groups regarding
>>>>>>>>>> having a Windows 2000 member server as a Terminal Server
>>>>>>>>>> with a Windows 2003 Active Directory domain controller.
>>>>>>>>>> All clients to the 2000 TS would be Windows 2000
>>>>>>>>>> Professional and XP Professional. As far as I can tell
>>>>>>>>>> from these posts, that would work, and the 2000 TS would
>>>>>>>>>> not require purchasing licenses for each client, since
>>>>>>>>>> they are 2000 Pro and XP Pro and are supposed to pull a
>>>>>>>>>> license from the built in pool on the 2000 TS. Please
>>>>>>>>>> correct me if I am wrong.
>>>>>>>>>>
>>>>>>>>>> One question is, where do I set up the license server:
>>>>>>>>>> on the 2000 TS or on the 2003 domain controller? If the
>>>>>>>>>> 2003 DC has to be the license server, will it recognize
>>>>>>>>>> that the TS is on 2000 and does not require purchasing
>>>>>>>>>> licenses for the XP Pro clients?
>>>>>>>>>>
>>>>>>>>>> Am I anywhere near the mark here?
>>>>>>>>>>
>>>>>>>>>> Thank you for helping!
>>>>>>>>>>
>>>>>>>>>> Gregg Hill
Facebook
Twitter
Instagram