Terminal Server on Domain Controller (yes, i know)

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Windows 2003 SP1 Domain Controller
Terminal services environment (had to install on DC, only 1 server)
XP/2k workstations
Local profiles


I am hosting an application on a TS server (loads at TS logon as
indicated in TS Configuration.) The users have local profiles on their
systems, but authenticate to the domain via AD (obviously.) When they
use remote desktop to connect to the domain controller's terminal
services environment they authenticate using the very same AD
username/password. Their usernames are in a "Main Office" OU, with a
policy placed on it for folder redirection, among other things, but FD
seems to be a big problem here. When logging off of the terminal
server (sometimes logging on, but not as drastic), the session hangs.
Therefore they need to disconnect and wait for the 1 minute to pass in
order for the server to reset the session. Because they have "Log on
via terminal services" rights as set in the Domain Controller GPO,
local profiles are on the DC for each user. I'm thinking...how can I
authenticate these users to this domain controller's terminal services
without loading their profile, but allow their profile to load when
they log in locally to their machine (and retain the "Main Office"
GPO)? Can I simply start an application for each user that logs in
without having to load/unload a profile? If I have to go the route of
creating new TS user objects for each existing user (which I could if
need be), and putting them in their own OU, what is the most
streamlined way of doing this if they are only using one application
under terminal services? Any suggestions on securing the DC against
these users? Please note that the application they use also brings up
wordpad, so I can't restrict access to that. I know this is a mess, no
IT budget, just started here and trying to secure this server.
Thanks!
 
You cannot logon without a profile, and I would avoid at all costs
to create a separate user account for each user.
But what you should do is define a separate TS-specific profile
for each user in their AD account properties.

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?RGVubmlzIFByb2NvcGlv?=
 
I thought of this. However, the group policy (which includes folder
redirection), which I think might be causing the problem, would still be
inherited for the user's login, would it not? What's the best way to create
a very simple mandatory profile that includes virtually nothing but this
application that I need to run? Any ideas?
Thanks!
 
If you just define a TS-specific roaming profile, users will get a
copy of the Default User profile on the Terminal Server, which
should be without any special settings. If you want to, you can
first modify the Default User profile with a test account.

But it's not really the profile that's your problem (although I
absolutely recommend you to create TS-specific profiles to avoid
profile corruption!), it's the Group Policy with the Folder
Redirection.

In a normal setup, with the TS a member server in the domain, you
could easily solve this problem by defining a separate Group Policy
for the Terminal Server, and use "loopback processing" with the
"Replace" option, to avoid that the Group Policy with the Folder
Redirection affects the users when they log onto the TS.
I'm not sure if this also works when the TS is a Domain Controller.
I always believed that it didn't, but a couple of weeks ago someone
reported that it did work in those situations as well. I haven't
tried it myself, but you could easily test it.

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

=?Utf-8?B?RGVubmlzIFByb2NvcGlv?=
 
Thanks,
I considered trying that out, but wasn't sure exactly what it did, couldn't
follow the description that well. I'm going to try it anyway, but if you
could elaborate I'd appreciate it.
Thanks!
 
You can have a GPO *with* folder redirection, linked to the OU
that contains the user accounts, and a GPO *without* folder
redirection and *with* loopback processing, linked to the OU that
contains the Terminal Server.
When users log on to their workstation, they get the Computer
Configuration from the GPO linked to the OU that contains their
workstation + the User Configuration from the GPO that is linked
to the OU that contains their user account.

When they then log on to the Terminal Server, they get both the
Computer Configuration and the User Configuration from the GPO
that is linked to the OU that contains the TS.

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?RGVubmlzIFByb2NvcGlv?=
 
Back
Top