M
Myles Duffy
I am not a Windows Admin but am working in a developer group trying to
identify issues we may have running an in house developed application in
terminal services 2003.
I have been tasked with looking into locking down the terminal services
server and I have a simple question that I am hoping someone can answer. It
may be more of a windows security / group policy question so this might not
be the place to ask it but since it releates specifically to the microsoft
document on how to lock down a terminal services server I thought I would
start here and not cross post.
Basically, I've gotten through the MS document on how to lock down a
terminal services server. I've gotten stuff like removing the run from
start menu in user config/Admin Templates/Start Menu & Taskbar working in a
locked down OU.
I've taken the approach of putting user accounts into a lock down OU.
My question is simple: The behavior that I've seen is that if I put a user
account into a locked down OU my policy settings work. However if I insead
put the user account into a Group and put just the Group into my locked down
OU they don't work.
Again, I'm not an admin I'm a devo trying to get TS locked down and I don't
understand policies completely but I have gotten something to work.
I guess if someone can confirm or deny (or better explain) that putting a
user account into a group and putting the group into a locked down OU does
not have the same result with respect to the policies of the lock down OU as
putting the user directly into the OU I would be most grateful.
BYW, another thing that really had me going was gpupdate. I didn't know
about this but policies are updated/propagated in backgroup so changing a
policy won't have a immediate effect without running some form of gpupdate
(formerly a command like swtich of secedit in windows 2000). I saw what
appeared to be so many random effects that it had me going for a couple of
hours. They were all due to not letting the policy propogate (and forcing
it to do so with gpupdate really helps).
identify issues we may have running an in house developed application in
terminal services 2003.
I have been tasked with looking into locking down the terminal services
server and I have a simple question that I am hoping someone can answer. It
may be more of a windows security / group policy question so this might not
be the place to ask it but since it releates specifically to the microsoft
document on how to lock down a terminal services server I thought I would
start here and not cross post.
Basically, I've gotten through the MS document on how to lock down a
terminal services server. I've gotten stuff like removing the run from
start menu in user config/Admin Templates/Start Menu & Taskbar working in a
locked down OU.
I've taken the approach of putting user accounts into a lock down OU.
My question is simple: The behavior that I've seen is that if I put a user
account into a locked down OU my policy settings work. However if I insead
put the user account into a Group and put just the Group into my locked down
OU they don't work.
Again, I'm not an admin I'm a devo trying to get TS locked down and I don't
understand policies completely but I have gotten something to work.
I guess if someone can confirm or deny (or better explain) that putting a
user account into a group and putting the group into a locked down OU does
not have the same result with respect to the policies of the lock down OU as
putting the user directly into the OU I would be most grateful.
BYW, another thing that really had me going was gpupdate. I didn't know
about this but policies are updated/propagated in backgroup so changing a
policy won't have a immediate effect without running some form of gpupdate
(formerly a command like swtich of secedit in windows 2000). I saw what
appeared to be so many random effects that it had me going for a couple of
hours. They were all due to not letting the policy propogate (and forcing
it to do so with gpupdate really helps).