Discussion:
What effects does putting a DC in a new OU have on the domain?
(too old to reply)
dunjindude
2005-06-23 16:41:04 UTC
Permalink
Vera (or anybody else who would like to reply),

I am fairly new to TS, GPO and OU. I have a W2k server setup with TS and
also have a few XP Professional systems that will be using RDP to connect to
the W2k server. I have done some reading here in the group and also looked
up referenced articles. My goal is to make changes to the GPO to secure the
TS sessions that are created and thus the end user does not see certain
things on the server.

What I could use some information on is the OU. I see how to create an OU
but the W2k server that TS is installed on is also a DC in the domain. Can I
still create a TS OU, move the TS server into that OU or will that have an
adverse effect on the domain?

The TS server has multiple functions in the network as we only have a couple
of servers to begin with (print server, some file serving, TS etc.) so I
don’t want to make a change that will cause problems with the server’s other
duties.

Thanks for the assistance and any additional information on OUs that can be
offered up, have a great day!

Dean
Vera Noest [MVP]
2005-06-25 14:04:54 UTC
Permalink
Personally, I would never do this, and until recently I believed
that it would break things like replication. But a couple of months
ago someone else asked the same question, and it turned out that it
is actually possible.

But I don't think that there is much to gain by this.
The whole idea of putting the TS in a separate OU is to be able to
apply a GPO to the TS only, not to the other servers in the domain.
If you have a single server, then there seems to be no point in
moving it.
Combining the DC role with the TS role is *not* recommended, partly
for this reason. You are severally limited in how you can secure
the TS, and you will have all of your users using the DC as their
personal workstation.

I'd rather combine DC + Print or File Server, and make the TS a
dedicated TS. You'll be much happier!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___

"=?Utf-8?B?ZHVuamluZHVkZQ==?="
Post by dunjindude
Vera (or anybody else who would like to reply),
I am fairly new to TS, GPO and OU. I have a W2k server setup
with TS and also have a few XP Professional systems that will be
using RDP to connect to the W2k server. I have done some
reading here in the group and also looked up referenced
articles. My goal is to make changes to the GPO to secure the
TS sessions that are created and thus the end user does not see
certain things on the server.
What I could use some information on is the OU. I see how to
create an OU but the W2k server that TS is installed on is also
a DC in the domain. Can I still create a TS OU, move the TS
server into that OU or will that have an adverse effect on the
domain?
The TS server has multiple functions in the network as we only
have a couple of servers to begin with (print server, some file
serving, TS etc.) so I don’t want to make a change that will
cause problems with the server’s other duties.
Thanks for the assistance and any additional information on OUs
that can be offered up, have a great day!
Dean
dunjindude
2005-06-28 13:04:11 UTC
Permalink
So for a follow up question then Vera,

I don't see that I will be able to dedicate a server for TS at this point in
time. Just not enough people will be using it and we have limited resources.

I will have three different systems that will be able to use RDP or the TS
Client to access the TS and there will only be one program that is used via
TS. If I am not able to use an OU with a separate GPO to help lock down the
server, what would you suggest be the next course of action to try and secure
the system at least a little (and if possible, take away the abilitie of the
clients to see the server drives or at least make it more difficult for them
to see the drives)?

Thanks again Vera!
Post by Vera Noest [MVP]
Personally, I would never do this, and until recently I believed
that it would break things like replication. But a couple of months
ago someone else asked the same question, and it turned out that it
is actually possible.
But I don't think that there is much to gain by this.
The whole idea of putting the TS in a separate OU is to be able to
apply a GPO to the TS only, not to the other servers in the domain.
If you have a single server, then there seems to be no point in
moving it.
Combining the DC role with the TS role is *not* recommended, partly
for this reason. You are severally limited in how you can secure
the TS, and you will have all of your users using the DC as their
personal workstation.
I'd rather combine DC + Print or File Server, and make the TS a
dedicated TS. You'll be much happier!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
"=?Utf-8?B?ZHVuamluZHVkZQ==?="
Post by dunjindude
Vera (or anybody else who would like to reply),
I am fairly new to TS, GPO and OU. I have a W2k server setup
with TS and also have a few XP Professional systems that will be
using RDP to connect to the W2k server. I have done some
reading here in the group and also looked up referenced
articles. My goal is to make changes to the GPO to secure the
TS sessions that are created and thus the end user does not see
certain things on the server.
What I could use some information on is the OU. I see how to
create an OU but the W2k server that TS is installed on is also
a DC in the domain. Can I still create a TS OU, move the TS
server into that OU or will that have an adverse effect on the
domain?
The TS server has multiple functions in the network as we only
have a couple of servers to begin with (print server, some file
serving, TS etc.) so I don’t want to make a change that will
cause problems with the server’s other duties.
Thanks for the assistance and any additional information on OUs
that can be offered up, have a great day!
Dean
Vera Noest [MVP]
2005-06-28 19:52:14 UTC
Permalink
You will have to use NTFS permissions on the file system to keep
your users away from the system files.
If they will only run a single application, configure this app as
the starting application. That way, users will never see the
desktop of the server. But note that this in itself is *not* enough
to secure your server. If the application has a function to save
files, users will still see the servers file system in the Save
as.. dialog box of the application.
You could also experiment with the "hide drives in my computer"
setting in a GPO, but make sure that any such restrictive GPO does
*not* apply to Administrators. Otherwise there's a considerable
risk of shutting yourself out.

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

I'm sorry, but I have no more detailed advice to give, since I've
never done this. Just be very careful before applying any
restrictions, and make sure that you have a recent image of the
server, in case anything goes wrong.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___

"=?Utf-8?B?ZHVuamluZHVkZQ==?="
Post by dunjindude
So for a follow up question then Vera,
I don't see that I will be able to dedicate a server for TS at
this point in time. Just not enough people will be using it and
we have limited resources.
I will have three different systems that will be able to use RDP
or the TS Client to access the TS and there will only be one
program that is used via TS. If I am not able to use an OU with
a separate GPO to help lock down the server, what would you
suggest be the next course of action to try and secure the
system at least a little (and if possible, take away the
abilitie of the clients to see the server drives or at least
make it more difficult for them to see the drives)?
Thanks again Vera!
Post by Vera Noest [MVP]
Personally, I would never do this, and until recently I
believed that it would break things like replication. But a
couple of months ago someone else asked the same question, and
it turned out that it is actually possible.
But I don't think that there is much to gain by this.
The whole idea of putting the TS in a separate OU is to be able
to apply a GPO to the TS only, not to the other servers in the
domain. If you have a single server, then there seems to be no
point in moving it.
Combining the DC role with the TS role is *not* recommended,
partly for this reason. You are severally limited in how you
can secure the TS, and you will have all of your users using
the DC as their personal workstation.
I'd rather combine DC + Print or File Server, and make the TS a
dedicated TS. You'll be much happier!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
"=?Utf-8?B?ZHVuamluZHVkZQ==?="
Post by dunjindude
Vera (or anybody else who would like to reply),
I am fairly new to TS, GPO and OU. I have a W2k server setup
with TS and also have a few XP Professional systems that will
be using RDP to connect to the W2k server. I have done some
reading here in the group and also looked up referenced
articles. My goal is to make changes to the GPO to secure
the TS sessions that are created and thus the end user does
not see certain things on the server.
What I could use some information on is the OU. I see how to
create an OU but the W2k server that TS is installed on is
also a DC in the domain. Can I still create a TS OU, move
the TS server into that OU or will that have an adverse
effect on the domain?
The TS server has multiple functions in the network as we
only have a couple of servers to begin with (print server,
some file serving, TS etc.) so I don’t want to make a
change that will cause problems with the server’s
other duties.
Thanks for the assistance and any additional information on
OUs that can be offered up, have a great day!
Dean
Loading...