Guest Jarryd Posted August 1, 2008 Posted August 1, 2008 Hi, I have a TS that is also the Print Server for our network. I don't want TS users to be able to change the printers' settings. I would be even cooler to be able to define which printers they can see, but that isn't really an issue. More bothered about them fiddling around in there configuring defaults to undesirable settings. Any clues? TIA, Jarryd
Guest Lanwench [MVP - Exchange] Posted August 1, 2008 Posted August 1, 2008 Re: TS Srv is also print server. How do you restrict acces / permissions Jarryd <jarryd@community.nospam> wrote: > Hi, > > I have a TS that is also the Print Server for our network. I don't > want TS users to be able to change the printers' settings. I would > be even cooler to be able to define which printers they can see, but > that isn't really an issue. More bothered about them fiddling around > in there configuring defaults to undesirable settings. > > Any clues? > > TIA, > > Jarryd I strongly recoommend that you move print services elsewhere on your network. A terminal server should really be nothing more than a big fat shared workstation, with no other roles on your network. That said, you can (and definitely should!) lock down your terminal services. Users should have no admin rights on the box, and there's a lot more you can do to restrict what they can do. See KB 278295 for some good lockdown suggestions. The following is cribbed shamelessly from Patrick Rouse ------------------------------------------- Best Practice for applying Settings to Users only when they log on to Terminal Servers would be to: 1. Create an OU to contain a set of Terminal Servers 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This prevents settings from higher-up in AD from affecting your Terminal Servers. 3. Move the Terminal Server Computer Objects into the OU. Do NOT place User Accounts in this OU. 4. Create an Active Directory Security Group called “Terminal Servers” (or something similar that you’ll recognize) and add the Terminal Servers from this OU to this group. 5. Create a GPO called “TS Machine Policy” linked to the OU 6. Check “Disable User Configuration settings” on the GPO 7. Enable Loopback Policy Processing in the GPO 8. Edit the Security of the Policy so Apply Policy is set for “Authenticated Users” and the Security Group containing the Terminal Servers 9. Create additional GPOs linked to this OU for each user population, i.e. “TS Users”, “TS Administrators”. 10. Check “Disable Computer Configuration settings” on these GPO 11. Edit the Security on these User Configuration GPOs so Apply Policy is enabled for the target user population, and Deny Apply Policy is enabled for user to which the policy should not apply. With GPOs configured this way the Machine Policy applies to everyone that logs on to the Terminal Server (only the Computer Configuration Settings of the Machine Policy are processed) in addition to the appropriate User Configuration GPO (only the User Configuration portion of the GPO is processed) for the target user population.
Guest Jeff Pitsch Posted August 1, 2008 Posted August 1, 2008 Re: TS Srv is also print server. How do you restrict acces / permissions If you restrict there access they can't map the printers. If you leave them there then the users can change settings. Get a print server. Problem solved Jeff Pitsch Microsoft MVP - Terminal Services "Jarryd" <jarryd@community.nospam> wrote in message news:OlaP7a%238IHA.1196@TK2MSFTNGP05.phx.gbl... > Hi, > > I have a TS that is also the Print Server for our network. I don't want > TS users to be able to change the printers' settings. I would be even > cooler to be able to define which printers they can see, but that isn't > really an issue. More bothered about them fiddling around in there > configuring defaults to undesirable settings. > > Any clues? > > TIA, > > Jarryd >
Recommended Posts