Discussion:
Configuring a Group Policy for Terminal Users
(too old to reply)
bernardl
2005-10-23 18:02:02 UTC
Permalink
I have a single Win2k server running Terminal Services and it also supports a
small LAN. Is there a way to configure a GP so that just the TS users cannot
see the local drives when they login?

I'd like for this GP to only be effective for the remote users.
Vera Noest [MVP]
2005-10-23 21:30:40 UTC
Permalink
Yes, this is done by using the "loopback processing" option in the
GPO, with the "Replace" option.

Put the TS machine account (and *not* the user accounts) in a
separate OU, link the restrictive GPO to that OU and configure
loopback processing. Also make sure that you deny administrators
the right to "Apply this policy", otherwise you are locking down
yourself as well.

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by bernardl
I have a single Win2k server running Terminal Services and it
also supports a small LAN. Is there a way to configure a GP so
that just the TS users cannot see the local drives when they
login?
I'd like for this GP to only be effective for the remote users.
bernardl
2005-10-24 00:09:03 UTC
Permalink
Thanks for the info. My remote users work from home and various places,
therefore I do not know their TS machine accounts. since these users work
remotely only, is there any harm in placing their user accounts in the
seperate OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing" option in the
GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts) in a
separate OU, link the restrictive GPO to that OU and configure
loopback processing. Also make sure that you deny administrators
the right to "Apply this policy", otherwise you are locking down
yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Post by bernardl
I have a single Win2k server running Terminal Services and it
also supports a small LAN. Is there a way to configure a GP so
that just the TS users cannot see the local drives when they
login?
I'd like for this GP to only be effective for the remote users.
Vera Noest [MVP]
2005-10-24 14:54:37 UTC
Permalink
You should *NOT* put the user accounts in the OU, but the computer
account of the Terminal Server itself! That's what I meant with
the TS machine account.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Thanks for the info. My remote users work from home and various
places, therefore I do not know their TS machine accounts. since
these users work remotely only, is there any harm in placing
their user accounts in the seperate OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing" option in
the GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts) in a
separate OU, link the restrictive GPO to that OU and configure
loopback processing. Also make sure that you deny
administrators the right to "Apply this policy", otherwise you
are locking down yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
wrote on 23 okt 2005 in
Post by bernardl
I have a single Win2k server running Terminal Services and it
also supports a small LAN. Is there a way to configure a GP
so that just the TS users cannot see the local drives when
they login?
I'd like for this GP to only be effective for the remote
users.
bernardl
2005-10-25 00:40:02 UTC
Permalink
Ok. What are the ramifications of placing user accounts in the OU? (Just for
my curiousity)
Post by Vera Noest [MVP]
You should *NOT* put the user accounts in the OU, but the computer
account of the Terminal Server itself! That's what I meant with
the TS machine account.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Thanks for the info. My remote users work from home and various
places, therefore I do not know their TS machine accounts. since
these users work remotely only, is there any harm in placing
their user accounts in the seperate OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing" option in
the GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts) in a
separate OU, link the restrictive GPO to that OU and configure
loopback processing. Also make sure that you deny
administrators the right to "Apply this policy", otherwise you
are locking down yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
wrote on 23 okt 2005 in
Post by bernardl
I have a single Win2k server running Terminal Services and it
also supports a small LAN. Is there a way to configure a GP
so that just the TS users cannot see the local drives when
they login?
I'd like for this GP to only be effective for the remote
users.
Vera Noest [MVP]
2005-10-25 10:02:58 UTC
Permalink
That the GPO applies to the users whereever they logon, even on
their own workstation.

So if you hide the local drives on the TS, you also hide the local
drives on their clients.

You users are *not* going to like this, I promise you :-)

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Ok. What are the ramifications of placing user accounts in the
OU? (Just for my curiousity)
Post by Vera Noest [MVP]
You should *NOT* put the user accounts in the OU, but the
computer account of the Terminal Server itself! That's what I
meant with the TS machine account.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Thanks for the info. My remote users work from home and
various places, therefore I do not know their TS machine
accounts. since these users work remotely only, is there any
harm in placing their user accounts in the seperate OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing" option
in the GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts) in
a separate OU, link the restrictive GPO to that OU and
configure loopback processing. Also make sure that you deny
administrators the right to "Apply this policy", otherwise
you are locking down yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"=?Utf-8?B?YmVybmFyZGw=?="
Post by bernardl
I have a single Win2k server running Terminal Services and
it also supports a small LAN. Is there a way to configure
a GP so that just the TS users cannot see the local drives
when they login?
I'd like for this GP to only be effective for the remote
users.
bernardl
2005-10-28 03:06:02 UTC
Permalink
I cannot locate the computer account for the TS machine! When I go to the AD
for Users and Computers the only object I find for the computer is that of
the DC, which makes sense because this is a single server network. The only
option I have is to Move the object to the OU and of course I wouldn't want
to do that. What am I doing wrong? Please advise.
Post by Vera Noest [MVP]
That the GPO applies to the users whereever they logon, even on
their own workstation.
So if you hide the local drives on the TS, you also hide the local
drives on their clients.
You users are *not* going to like this, I promise you :-)
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Ok. What are the ramifications of placing user accounts in the
OU? (Just for my curiousity)
Post by Vera Noest [MVP]
You should *NOT* put the user accounts in the OU, but the
computer account of the Terminal Server itself! That's what I
meant with the TS machine account.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Thanks for the info. My remote users work from home and
various places, therefore I do not know their TS machine
accounts. since these users work remotely only, is there any
harm in placing their user accounts in the seperate OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing" option
in the GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts) in
a separate OU, link the restrictive GPO to that OU and
configure loopback processing. Also make sure that you deny
administrators the right to "Apply this policy", otherwise
you are locking down yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows 2000
http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"=?Utf-8?B?YmVybmFyZGw=?="
Post by bernardl
I have a single Win2k server running Terminal Services and
it also supports a small LAN. Is there a way to configure
a GP so that just the TS users cannot see the local drives
when they login?
I'd like for this GP to only be effective for the remote users.
Vera Noest [MVP]
2005-10-28 12:00:04 UTC
Permalink
I'm sorry, my fault. I missed the fact that you are running TS on
your DC.
Then there's nothing that you can do.
Use NTFS permissions to secure your server best as you can, but
this is inherently an *unsafe* setup.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
I cannot locate the computer account for the TS machine! When I
go to the AD for Users and Computers the only object I find for
the computer is that of the DC, which makes sense because this
is a single server network. The only option I have is to Move
the object to the OU and of course I wouldn't want to do that.
What am I doing wrong? Please advise.
Post by Vera Noest [MVP]
That the GPO applies to the users whereever they logon, even on
their own workstation.
So if you hide the local drives on the TS, you also hide the
local drives on their clients.
You users are *not* going to like this, I promise you :-)
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
Post by bernardl
Ok. What are the ramifications of placing user accounts in
the OU? (Just for my curiousity)
Post by Vera Noest [MVP]
You should *NOT* put the user accounts in the OU, but the
computer account of the Terminal Server itself! That's what
I meant with the TS machine account.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
"=?Utf-8?B?YmVybmFyZGw=?="
Post by bernardl
Thanks for the info. My remote users work from home and
various places, therefore I do not know their TS machine
accounts. since these users work remotely only, is there
any harm in placing their user accounts in the seperate
OU?
Post by Vera Noest [MVP]
Yes, this is done by using the "loopback processing"
option in the GPO, with the "Replace" option.
Put the TS machine account (and *not* the user accounts)
in a separate OU, link the restrictive GPO to that OU and
configure loopback processing. Also make sure that you
deny administrators the right to "Apply this policy",
otherwise you are locking down yourself as well.
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
315675 - HOW TO: Keep Domain Group Policies from Applying
to Administrator Accounts and Selected Users in Windows
2000 http://support.microsoft.com/?kbid=315675
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"=?Utf-8?B?YmVybmFyZGw=?="
Post by bernardl
I have a single Win2k server running Terminal Services
and it also supports a small LAN. Is there a way to
configure a GP so that just the TS users cannot see the
local drives when they login?
I'd like for this GP to only be effective for the
remote users.
TP
2005-10-31 15:50:09 UTC
Permalink
If your remote users ONLY logon from remote PCs that are
not a member of your domain, then place their accounts in
a seperate OU. This will allow you to create a restrictive
GP object that will only apply to them. DO NOT move
your DC to this OU, it is only for your remote user accounts.

You should make the NTFS permissions on your DC more
restrictive than default as well. Be careful with this because
if you change the permissions incorrectly you could cause
things to stop functioning.

Strongly consider preventing access to IE, email programs,
Instant Messaging, Video playback, etc.

Thanks.

-TP
Post by bernardl
Thanks for the info. My remote users work from home and various
places, therefore I do not know their TS machine accounts. since
these users work remotely only, is there any harm in placing their
user accounts in the seperate OU?
Loading...