Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Anna,
You are welcome. Glad to be of help.
Running Terminal Services on a Domain Controller is a bad idea. Now, having
said that I realize that people have been doing it for a long time and that
with SBS2000 ( a nice little product in the right 'market' ) allows this.
Please notice that in SBS2003 you actually need to have a second server on
which to run Terminal Services. SBS2003 does not allow you to run Terminal
Services in Application Mode ( yeah, yeah, yeah. I know that it is called
something else in the 2003 version! ).
I have never used a GPO to lock down a Terminal Server when that system was
a Domain Controller. Other than the SBS environments, I have never run
Terminal Services on anything other than a Member Server.
Now, to your questions: can you move the computer object out of the Domain
Controllers OU? Well, yes, you can. Should you do it? Probably not. The
Default Domain Controller Policy will actually follow the computer object.
Well, IIRC. I would not suggest that you play with this, though.
Anna, I would really strongly suggest taking a machine ( any machine that
meets the hardware requirements - and are there any around anymore that
don't? ) and load WIN2000 Server and then Terminal Server and then take a
second machine and install WIN2000 Pro and play. I would simply attach
these two machines to a little hub or switch that are completely
'disconnected' from your production environment ( although you really would
not have to worry to much as they would be completely different forests.
Still, why take a chance? ).
HTH,
Cary
"Anna Colton" <annac@abc.com> wrote in message
news:41787533$0$23017$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
> Hi Cary,
>
> Thanks for your useful input!! I think we have nearly fixed the problem.
> Only one thing needs to be done. Not wanting to touch and play with the
real
> terminal server before I understand how the GP stuff works, I tried on a
> workstation machine, and it worked as I expected. Now I think is time to
try
> on the real terminal server. But the problem is this terminal server also
> functions as the AD and DNS. I cannot create an OU and move the server
into
> it (can I?). What should I do? I guess it should be the domain controller
to
> which I link my GPO. Please give some more detailed instructions?
>
> Another question is, when I add my Securiy Group to replace the
> Authenticated Users, I found that the group must be "Global". "Domain
local"
> group just doesn't work. This really confuses me. To me it looks like the
> same, because I have only one domain in our network. A domain local group
> should be the same as a global group in an only-one-domain environment.
>
> Thanks once again. You guys are really great!!
>
> Anna
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:OBEDENgtEHA.1216@TK2MSFTNGP10.phx.gbl...
> > Anna,
> >
> > Not true. Well, er, by default, yes. That is true. However, what you
do
> > is to remove the Authenticated Users from the Security tab of the GPO
and
> > replace it with the Security Group of your choice ( possibly create one
> > specifically for this situation if one does not already exist ). Just
> > make
> > sure to give this group both the READ and APPLY GROUP POLICY.
> >
> > Does this help you? If you need I have the MSKB Articles that explain
> > this
> > process. The one showing you what settings to configure is a good
> > starting
> > guide but you might want to play with it. There will be modifications
> > needed! I would also suggest that you lock down the file system per
> > Patrick
> > Rouse's suggestions ( he is very active in the Terminal Server news
> > groups ).
> >
> > HTH,
> >
> > Cary
> >
> > "Anna Colton" <annac@abc.com> wrote in message
> > news:41753d37$0$6162$5a62ac22@per-qv1-newsreader-01.iinet.net.au...
> >> If I do this, then everyone, including system admin, will be locked
down.
> > Is
> >> this true? We don't want to lock down system admin.
> >>
> >> "JSilva" <JSilva@discussions.microsoft.com> wrote in message
> >> news
CF1D7EB-B280-4F57-AFC4-522BFBA53E8F@microsoft.com...
> >> > You will need to put your terminal servers in an OU. Then set your
> > policy
> >> > on
> >> > that ou. Make sure you are using loopback processing mode with the
> > replace
> >> > option.
> >> >
> >> > "Anna Colton" wrote:
> >> >
> >> >> Hi there,
> >> >>
> >> >> We have a 2k3 terminal server and some workstations. Users log on to
> > the
> >> >> terminal server through their workstations. Because the server also
> >> >> functions as DC and file server, we want to lock the normal users
down
> > to
> >> >> allow them to use a specific software application only. We achieved
> > this
> >> >> by
> >> >> linking a GPO to the OU where the users are placed. This works fine
> >> >> except
> >> >> one problem, that is, when the users log on to their workstations,
> >> >> they
> >> >> are
> >> >> also locked down, because the workstations are added to the domain.
> > This
> >> >> is
> >> >> not what we want. We want the users to have full control to their
> >> >> worksatations.
> >> >>
> >> >> Can anyone tell me how to achieve this?
> >> >>
> >> >>
> >> >>
> >>
> >>
> >
> >
>
>
Facebook
Twitter
Instagram