Yes, you need a separate OU.
Be sure to put the TS server object in the OU, *not* the user
accounts. And use loopback processing of the GPO.

More details here:
http://ts.veranoest.net/
Choose "Group Policies" in the menu
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

On 30 May 2006 13:38:50 -0700, "***@womenshealthspecialists.org"
<***@womenshealthspecialists.org> wrote:

-Hello, I am in the process of installing a new Win2K3 network, with one
-server for active directory, and one server for applications. One
-application will be run under terminal services. I am thinking that a
-good setup would be to create a terminal services OU for the 7 users.
-Then I can apply policies to the OU. The clients would log onto the
-domain, and then invoke a term. services session; thereby preventing
-any conflict with their domain profile and a term. services profile.
-Does anyone have any feedback for me on this scenario? Thanks, Jude


We do something similar. Points to note:

Use different user names for the users "windows" id, and their terminal services
one, so the windows ones don't get effected by the policies on the OU

If you put a policy on the OU, and then put the users in it, only the User
configuration is acted upon, the Computer Config is ignored.

This may help
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

regards
-Rob
-Rob
robatwork at mail dot com