Lock down terminal server?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi there,

We have a 2k3 terminal server and some workstations. Users log on to the
terminal server through their workstations. Because the server also
functions as DC and file server, we want to lock the normal users down to
allow them to use a specific software application only. We achieved this by
linking a GPO to the OU where the users are placed. This works fine except
one problem, that is, when the users log on to their workstations, they are
also locked down, because the workstations are added to the domain. This is
not what we want. We want the users to have full control to their
worksatations.

Can anyone tell me how to achieve this?
8 answers Last reply
More about lock terminal server
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You will need to put your terminal servers in an OU. Then set your policy on
    that ou. Make sure you are using loopback processing mode with the replace
    option.

    "Anna Colton" wrote:

    > Hi there,
    >
    > We have a 2k3 terminal server and some workstations. Users log on to the
    > terminal server through their workstations. Because the server also
    > functions as DC and file server, we want to lock the normal users down to
    > allow them to use a specific software application only. We achieved this by
    > linking a GPO to the OU where the users are placed. This works fine except
    > one problem, that is, when the users log on to their workstations, they are
    > also locked down, because the workstations are added to the domain. This is
    > not what we want. We want the users to have full control to their
    > worksatations.
    >
    > Can anyone tell me how to achieve this?
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If I do this, then everyone, including system admin, will be locked down. Is
    this true? We don't want to lock down system admin.

    "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    > You will need to put your terminal servers in an OU. Then set your policy
    > on
    > that ou. Make sure you are using loopback processing mode with the replace
    > option.
    >
    > "Anna Colton" wrote:
    >
    >> Hi there,
    >>
    >> We have a 2k3 terminal server and some workstations. Users log on to the
    >> terminal server through their workstations. Because the server also
    >> functions as DC and file server, we want to lock the normal users down to
    >> allow them to use a specific software application only. We achieved this
    >> by
    >> linking a GPO to the OU where the users are placed. This works fine
    >> except
    >> one problem, that is, when the users log on to their workstations, they
    >> are
    >> also locked down, because the workstations are added to the domain. This
    >> is
    >> not what we want. We want the users to have full control to their
    >> worksatations.
    >>
    >> Can anyone tell me how to achieve this?
    >>
    >>
    >>
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Anna,

    Not true. Well, er, by default, yes. That is true. However, what you do
    is to remove the Authenticated Users from the Security tab of the GPO and
    replace it with the Security Group of your choice ( possibly create one
    specifically for this situation if one does not already exist ). Just make
    sure to give this group both the READ and APPLY GROUP POLICY.

    Does this help you? If you need I have the MSKB Articles that explain this
    process. The one showing you what settings to configure is a good starting
    guide but you might want to play with it. There will be modifications
    needed! I would also suggest that you lock down the file system per Patrick
    Rouse's suggestions ( he is very active in the Terminal Server news
    groups ).

    HTH,

    Cary

    "Anna Colton" <annac@abc.com> wrote in message
    news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    > If I do this, then everyone, including system admin, will be locked down.
    Is
    > this true? We don't want to lock down system admin.
    >
    > "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    > news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    > > You will need to put your terminal servers in an OU. Then set your
    policy
    > > on
    > > that ou. Make sure you are using loopback processing mode with the
    replace
    > > option.
    > >
    > > "Anna Colton" wrote:
    > >
    > >> Hi there,
    > >>
    > >> We have a 2k3 terminal server and some workstations. Users log on to
    the
    > >> terminal server through their workstations. Because the server also
    > >> functions as DC and file server, we want to lock the normal users down
    to
    > >> allow them to use a specific software application only. We achieved
    this
    > >> by
    > >> linking a GPO to the OU where the users are placed. This works fine
    > >> except
    > >> one problem, that is, when the users log on to their workstations, they
    > >> are
    > >> also locked down, because the workstations are added to the domain.
    This
    > >> is
    > >> not what we want. We want the users to have full control to their
    > >> worksatations.
    > >>
    > >> Can anyone tell me how to achieve this?
    > >>
    > >>
    > >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Cary,

    Thanks for help! I'll give it a try and get back to you. Yes, could you
    please send me the KB articles you mentioned? Are they just URLs, or doc
    files?

    Ta!

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
    > Anna,
    >
    > Not true. Well, er, by default, yes. That is true. However, what you do
    > is to remove the Authenticated Users from the Security tab of the GPO and
    > replace it with the Security Group of your choice ( possibly create one
    > specifically for this situation if one does not already exist ). Just
    > make
    > sure to give this group both the READ and APPLY GROUP POLICY.
    >
    > Does this help you? If you need I have the MSKB Articles that explain
    > this
    > process. The one showing you what settings to configure is a good
    > starting
    > guide but you might want to play with it. There will be modifications
    > needed! I would also suggest that you lock down the file system per
    > Patrick
    > Rouse's suggestions ( he is very active in the Terminal Server news
    > groups ).
    >
    > HTH,
    >
    > Cary
    >
    > "Anna Colton" <annac@abc.com> wrote in message
    > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    >> If I do this, then everyone, including system admin, will be locked down.
    > Is
    >> this true? We don't want to lock down system admin.
    >>
    >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    >> news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    >> > You will need to put your terminal servers in an OU. Then set your
    > policy
    >> > on
    >> > that ou. Make sure you are using loopback processing mode with the
    > replace
    >> > option.
    >> >
    >> > "Anna Colton" wrote:
    >> >
    >> >> Hi there,
    >> >>
    >> >> We have a 2k3 terminal server and some workstations. Users log on to
    > the
    >> >> terminal server through their workstations. Because the server also
    >> >> functions as DC and file server, we want to lock the normal users down
    > to
    >> >> allow them to use a specific software application only. We achieved
    > this
    >> >> by
    >> >> linking a GPO to the OU where the users are placed. This works fine
    >> >> except
    >> >> one problem, that is, when the users log on to their workstations,
    >> >> they
    >> >> are
    >> >> also locked down, because the workstations are added to the domain.
    > This
    >> >> is
    >> >> not what we want. We want the users to have full control to their
    >> >> worksatations.
    >> >>
    >> >> Can anyone tell me how to achieve this?
    >> >>
    >> >>
    >> >>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Anna,

    You are welcome. Here they are:

    http://support.microsoft.com/?id=278295
    http://support.microsoft.com/?kbid=315675

    HTH,

    Cary


    "Anna Colton" <annac@abc.com> wrote in message
    news:4175b8ea$0$15678$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    > Hi Cary,
    >
    > Thanks for help! I'll give it a try and get back to you. Yes, could you
    > please send me the KB articles you mentioned? Are they just URLs, or doc
    > files?
    >
    > Ta!
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
    > > Anna,
    > >
    > > Not true. Well, er, by default, yes. That is true. However, what you
    do
    > > is to remove the Authenticated Users from the Security tab of the GPO
    and
    > > replace it with the Security Group of your choice ( possibly create one
    > > specifically for this situation if one does not already exist ). Just
    > > make
    > > sure to give this group both the READ and APPLY GROUP POLICY.
    > >
    > > Does this help you? If you need I have the MSKB Articles that explain
    > > this
    > > process. The one showing you what settings to configure is a good
    > > starting
    > > guide but you might want to play with it. There will be modifications
    > > needed! I would also suggest that you lock down the file system per
    > > Patrick
    > > Rouse's suggestions ( he is very active in the Terminal Server news
    > > groups ).
    > >
    > > HTH,
    > >
    > > Cary
    > >
    > > "Anna Colton" <annac@abc.com> wrote in message
    > > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    > >> If I do this, then everyone, including system admin, will be locked
    down.
    > > Is
    > >> this true? We don't want to lock down system admin.
    > >>
    > >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    > >> news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    > >> > You will need to put your terminal servers in an OU. Then set your
    > > policy
    > >> > on
    > >> > that ou. Make sure you are using loopback processing mode with the
    > > replace
    > >> > option.
    > >> >
    > >> > "Anna Colton" wrote:
    > >> >
    > >> >> Hi there,
    > >> >>
    > >> >> We have a 2k3 terminal server and some workstations. Users log on to
    > > the
    > >> >> terminal server through their workstations. Because the server also
    > >> >> functions as DC and file server, we want to lock the normal users
    down
    > > to
    > >> >> allow them to use a specific software application only. We achieved
    > > this
    > >> >> by
    > >> >> linking a GPO to the OU where the users are placed. This works fine
    > >> >> except
    > >> >> one problem, that is, when the users log on to their workstations,
    > >> >> they
    > >> >> are
    > >> >> also locked down, because the workstations are added to the domain.
    > > This
    > >> >> is
    > >> >> not what we want. We want the users to have full control to their
    > >> >> worksatations.
    > >> >>
    > >> >> Can anyone tell me how to achieve this?
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >
    > >
    >
    >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Cary,

    Thanks for your useful input!! I think we have nearly fixed the problem.
    Only one thing needs to be done. Not wanting to touch and play with the real
    terminal server before I understand how the GP stuff works, I tried on a
    workstation machine, and it worked as I expected. Now I think is time to try
    on the real terminal server. But the problem is this terminal server also
    functions as the AD and DNS. I cannot create an OU and move the server into
    it (can I?). What should I do? I guess it should be the domain controller to
    which I link my GPO. Please give some more detailed instructions?

    Another question is, when I add my Securiy Group to replace the
    Authenticated Users, I found that the group must be "Global". "Domain local"
    group just doesn't work. This really confuses me. To me it looks like the
    same, because I have only one domain in our network. A domain local group
    should be the same as a global group in an only-one-domain environment.

    Thanks once again. You guys are really great!!

    Anna

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
    > Anna,
    >
    > Not true. Well, er, by default, yes. That is true. However, what you do
    > is to remove the Authenticated Users from the Security tab of the GPO and
    > replace it with the Security Group of your choice ( possibly create one
    > specifically for this situation if one does not already exist ). Just
    > make
    > sure to give this group both the READ and APPLY GROUP POLICY.
    >
    > Does this help you? If you need I have the MSKB Articles that explain
    > this
    > process. The one showing you what settings to configure is a good
    > starting
    > guide but you might want to play with it. There will be modifications
    > needed! I would also suggest that you lock down the file system per
    > Patrick
    > Rouse's suggestions ( he is very active in the Terminal Server news
    > groups ).
    >
    > HTH,
    >
    > Cary
    >
    > "Anna Colton" <annac@abc.com> wrote in message
    > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    >> If I do this, then everyone, including system admin, will be locked down.
    > Is
    >> this true? We don't want to lock down system admin.
    >>
    >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    >> news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    >> > You will need to put your terminal servers in an OU. Then set your
    > policy
    >> > on
    >> > that ou. Make sure you are using loopback processing mode with the
    > replace
    >> > option.
    >> >
    >> > "Anna Colton" wrote:
    >> >
    >> >> Hi there,
    >> >>
    >> >> We have a 2k3 terminal server and some workstations. Users log on to
    > the
    >> >> terminal server through their workstations. Because the server also
    >> >> functions as DC and file server, we want to lock the normal users down
    > to
    >> >> allow them to use a specific software application only. We achieved
    > this
    >> >> by
    >> >> linking a GPO to the OU where the users are placed. This works fine
    >> >> except
    >> >> one problem, that is, when the users log on to their workstations,
    >> >> they
    >> >> are
    >> >> also locked down, because the workstations are added to the domain.
    > This
    >> >> is
    >> >> not what we want. We want the users to have full control to their
    >> >> worksatations.
    >> >>
    >> >> Can anyone tell me how to achieve this?
    >> >>
    >> >>
    >> >>
    >>
    >>
    >
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Anna,

    You are welcome. Glad to be of help.

    Running Terminal Services on a Domain Controller is a bad idea. Now, having
    said that I realize that people have been doing it for a long time and that
    with SBS2000 ( a nice little product in the right 'market' ) allows this.
    Please notice that in SBS2003 you actually need to have a second server on
    which to run Terminal Services. SBS2003 does not allow you to run Terminal
    Services in Application Mode ( yeah, yeah, yeah. I know that it is called
    something else in the 2003 version! ).

    I have never used a GPO to lock down a Terminal Server when that system was
    a Domain Controller. Other than the SBS environments, I have never run
    Terminal Services on anything other than a Member Server.

    Now, to your questions: can you move the computer object out of the Domain
    Controllers OU? Well, yes, you can. Should you do it? Probably not. The
    Default Domain Controller Policy will actually follow the computer object.
    Well, IIRC. I would not suggest that you play with this, though.

    Anna, I would really strongly suggest taking a machine ( any machine that
    meets the hardware requirements - and are there any around anymore that
    don't? ) and load WIN2000 Server and then Terminal Server and then take a
    second machine and install WIN2000 Pro and play. I would simply attach
    these two machines to a little hub or switch that are completely
    'disconnected' from your production environment ( although you really would
    not have to worry to much as they would be completely different forests.
    Still, why take a chance? ).

    HTH,

    Cary

    "Anna Colton" <annac@abc.com> wrote in message
    news:41787533$0$23017$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    > Hi Cary,
    >
    > Thanks for your useful input!! I think we have nearly fixed the problem.
    > Only one thing needs to be done. Not wanting to touch and play with the
    real
    > terminal server before I understand how the GP stuff works, I tried on a
    > workstation machine, and it worked as I expected. Now I think is time to
    try
    > on the real terminal server. But the problem is this terminal server also
    > functions as the AD and DNS. I cannot create an OU and move the server
    into
    > it (can I?). What should I do? I guess it should be the domain controller
    to
    > which I link my GPO. Please give some more detailed instructions?
    >
    > Another question is, when I add my Securiy Group to replace the
    > Authenticated Users, I found that the group must be "Global". "Domain
    local"
    > group just doesn't work. This really confuses me. To me it looks like the
    > same, because I have only one domain in our network. A domain local group
    > should be the same as a global group in an only-one-domain environment.
    >
    > Thanks once again. You guys are really great!!
    >
    > Anna
    >
    > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    > news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
    > > Anna,
    > >
    > > Not true. Well, er, by default, yes. That is true. However, what you
    do
    > > is to remove the Authenticated Users from the Security tab of the GPO
    and
    > > replace it with the Security Group of your choice ( possibly create one
    > > specifically for this situation if one does not already exist ). Just
    > > make
    > > sure to give this group both the READ and APPLY GROUP POLICY.
    > >
    > > Does this help you? If you need I have the MSKB Articles that explain
    > > this
    > > process. The one showing you what settings to configure is a good
    > > starting
    > > guide but you might want to play with it. There will be modifications
    > > needed! I would also suggest that you lock down the file system per
    > > Patrick
    > > Rouse's suggestions ( he is very active in the Terminal Server news
    > > groups ).
    > >
    > > HTH,
    > >
    > > Cary
    > >
    > > "Anna Colton" <annac@abc.com> wrote in message
    > > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    > >> If I do this, then everyone, including system admin, will be locked
    down.
    > > Is
    > >> this true? We don't want to lock down system admin.
    > >>
    > >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    > >> news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    > >> > You will need to put your terminal servers in an OU. Then set your
    > > policy
    > >> > on
    > >> > that ou. Make sure you are using loopback processing mode with the
    > > replace
    > >> > option.
    > >> >
    > >> > "Anna Colton" wrote:
    > >> >
    > >> >> Hi there,
    > >> >>
    > >> >> We have a 2k3 terminal server and some workstations. Users log on to
    > > the
    > >> >> terminal server through their workstations. Because the server also
    > >> >> functions as DC and file server, we want to lock the normal users
    down
    > > to
    > >> >> allow them to use a specific software application only. We achieved
    > > this
    > >> >> by
    > >> >> linking a GPO to the OU where the users are placed. This works fine
    > >> >> except
    > >> >> one problem, that is, when the users log on to their workstations,
    > >> >> they
    > >> >> are
    > >> >> also locked down, because the workstations are added to the domain.
    > > This
    > >> >> is
    > >> >> not what we want. We want the users to have full control to their
    > >> >> worksatations.
    > >> >>
    > >> >> Can anyone tell me how to achieve this?
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >
    > >
    >
    >
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Lock down the file system? Yes, this is what we want to do. I've tried to
    find the related material from Patrick Rouse, but failed. Could you please
    recommend some to me? Ta!

    "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
    news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
    > Anna,
    >
    > Not true. Well, er, by default, yes. That is true. However, what you do
    > is to remove the Authenticated Users from the Security tab of the GPO and
    > replace it with the Security Group of your choice ( possibly create one
    > specifically for this situation if one does not already exist ). Just
    > make
    > sure to give this group both the READ and APPLY GROUP POLICY.
    >
    > Does this help you? If you need I have the MSKB Articles that explain
    > this
    > process. The one showing you what settings to configure is a good
    > starting
    > guide but you might want to play with it. There will be modifications
    > needed! I would also suggest that you lock down the file system per
    > Patrick
    > Rouse's suggestions ( he is very active in the Terminal Server news
    > groups ).
    >
    > HTH,
    >
    > Cary
    >
    > "Anna Colton" <annac@abc.com> wrote in message
    > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
    >> If I do this, then everyone, including system admin, will be locked down.
    > Is
    >> this true? We don't want to lock down system admin.
    >>
    >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
    >> news:DCF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
    >> > You will need to put your terminal servers in an OU. Then set your
    > policy
    >> > on
    >> > that ou. Make sure you are using loopback processing mode with the
    > replace
    >> > option.
    >> >
    >> > "Anna Colton" wrote:
    >> >
    >> >> Hi there,
    >> >>
    >> >> We have a 2k3 terminal server and some workstations. Users log on to
    > the
    >> >> terminal server through their workstations. Because the server also
    >> >> functions as DC and file server, we want to lock the normal users down
    > to
    >> >> allow them to use a specific software application only. We achieved
    > this
    >> >> by
    >> >> linking a GPO to the OU where the users are placed. This works fine
    >> >> except
    >> >> one problem, that is, when the users log on to their workstations,
    >> >> they
    >> >> are
    >> >> also locked down, because the workstations are added to the domain.
    > This
    >> >> is
    >> >> not what we want. We want the users to have full control to their
    >> >> worksatations.
    >> >>
    >> >> Can anyone tell me how to achieve this?
    >> >>
    >> >>
    >> >>
    >>
    >>
    >
    >
Ask a new question

Read More

Workstations Terminal Server Windows