Lock down terminal server?

  • Thread starter Thread starter Anna Colton
  • Start date Start date
A

Anna Colton

Hi there,

We have a 2k3 terminal server and some workstations. Users log on to the
terminal server through their workstations. Because the server also
functions as DC and file server, we want to lock the normal users down to
allow them to use a specific software application only. We achieved this by
linking a GPO to the OU where the users are placed. This works fine except
one problem, that is, when the users log on to their workstations, they are
also locked down, because the workstations are added to the domain. This is
not what we want. We want the users to have full control to their
worksatations.

Can anyone tell me how to achieve this?
 
You will need to put your terminal servers in an OU. Then set your policy on
that ou. Make sure you are using loopback processing mode with the replace
option.
 
If I do this, then everyone, including system admin, will be locked down. Is
this true? We don't want to lock down system admin.
 
Anna,

Not true. Well, er, by default, yes. That is true. However, what you do
is to remove the Authenticated Users from the Security tab of the GPO and
replace it with the Security Group of your choice ( possibly create one
specifically for this situation if one does not already exist ). Just make
sure to give this group both the READ and APPLY GROUP POLICY.

Does this help you? If you need I have the MSKB Articles that explain this
process. The one showing you what settings to configure is a good starting
guide but you might want to play with it. There will be modifications
needed! I would also suggest that you lock down the file system per Patrick
Rouse's suggestions ( he is very active in the Terminal Server news
groups ).

HTH,

Cary
 
Hi Cary,

Thanks for help! I'll give it a try and get back to you. Yes, could you
please send me the KB articles you mentioned? Are they just URLs, or doc
files?

Ta!
 
Hi Cary,

Thanks for your useful input!! I think we have nearly fixed the problem.
Only one thing needs to be done. Not wanting to touch and play with the real
terminal server before I understand how the GP stuff works, I tried on a
workstation machine, and it worked as I expected. Now I think is time to try
on the real terminal server. But the problem is this terminal server also
functions as the AD and DNS. I cannot create an OU and move the server into
it (can I?). What should I do? I guess it should be the domain controller to
which I link my GPO. Please give some more detailed instructions?

Another question is, when I add my Securiy Group to replace the
Authenticated Users, I found that the group must be "Global". "Domain local"
group just doesn't work. This really confuses me. To me it looks like the
same, because I have only one domain in our network. A domain local group
should be the same as a global group in an only-one-domain environment.

Thanks once again. You guys are really great!!

Anna
 
Anna,

You are welcome. Glad to be of help.

Running Terminal Services on a Domain Controller is a bad idea. Now, having
said that I realize that people have been doing it for a long time and that
with SBS2000 ( a nice little product in the right 'market' ) allows this.
Please notice that in SBS2003 you actually need to have a second server on
which to run Terminal Services. SBS2003 does not allow you to run Terminal
Services in Application Mode ( yeah, yeah, yeah. I know that it is called
something else in the 2003 version! ).

I have never used a GPO to lock down a Terminal Server when that system was
a Domain Controller. Other than the SBS environments, I have never run
Terminal Services on anything other than a Member Server.

Now, to your questions: can you move the computer object out of the Domain
Controllers OU? Well, yes, you can. Should you do it? Probably not. The
Default Domain Controller Policy will actually follow the computer object.
Well, IIRC. I would not suggest that you play with this, though.

Anna, I would really strongly suggest taking a machine ( any machine that
meets the hardware requirements - and are there any around anymore that
don't? ) and load WIN2000 Server and then Terminal Server and then take a
second machine and install WIN2000 Pro and play. I would simply attach
these two machines to a little hub or switch that are completely
'disconnected' from your production environment ( although you really would
not have to worry to much as they would be completely different forests.
Still, why take a chance? ).

HTH,

Cary
 
Lock down the file system? Yes, this is what we want to do. I've tried to
find the related material from Patrick Rouse, but failed. Could you please
recommend some to me? Ta!
 
Back
Top