Using Group Policy for remote users

  • Thread starter Thread starter Scott
  • Start date Start date
S

Scott

Am running a Windows 2000 native domain. Have two domain
controllers, one of them is the Terminal Server running
in application mode. Problem is that some of the users
mistakedly hit either restart or shutdown from home when
they meant to either log off or disconnect. What I would
like to do is to take away that restart/shut down option
from them, but only when they remote in (this is via
RDP). I can take the restart/shut down away from them
but it also takes it away from their office computers
which I don't want. This seems like an easy problem, but
I've run into the proverbial wall.

Thanks in advance for any help.

Scott
 
Are these users members of the Terminal Servers local admin group or do they
have local admin rights? By default non admin users ONLY have Logoff and
Disconnect in a TS setup. I am using Windows 2003 TS and this is the case
for me. You may want to check it out.

Philip Nunn
 
Phillip,

Thanks for the response, they have local admin rights
because of one of the programs that they remote in to run
(it's a legal program) requires it.

Any thoughts?

Scott
 
Phillip,

You need to use a Loopback policy:

260370 How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?id=260370

278295 How to Lock Down a Windows 2000 Terminal Server Session
http://support.microsoft.com/?id=278295

231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Buzz,

Loopback is working well, but one thing: I would like
the Domain Admins group to be able to restart the
Terminal Server remotely. Right now, they can't. Is
there a setting that will allow just the Domain Admins
(or a user) to bypass this policy and be able to restart
while the rest of the domain has to live with log off?

Thanks,

Scott
 
On the permissions of the GPO itself give Domain Admins (or another group
you had created) DENY access to "apply group policy".

260370 How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?id=260370

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Back
Top