Terminal Server Laptop Lockdown

[Guest WilliamS]

I am trying to lock down specific users (laptops) on TS 2003.

1. I am using GPM to do this, here is the setup:

2. Created an OU called School Laptops

3. Created and linked two GPO's withing the OU called LaptopLoopback and

LaptopSecurity

4. In LaptopLoopback set up Computer Configuration/Administrative

Templates/System/Group Policy: enabled loopback processing mode.

5. In LaptopSecurity enabled User Configuration/Administrative

Templates/Control Panel: disabled access to control panel.

6. Added a test user called Buster to Security Filtering for LaptopSecurity.

7. Logged onto Terminal Server as Buster, but I could access the Control

Panel.

8. Added Authenticated Users to the Security Filtering

9. Added Buster directly to the OU in Active Directory.

10. Logged on as Buster and was, appropriately, denied access to the Control

Panel.

 

Comment1: This seems wrong, that I would have to add users directly to the

OU to make this work. My thinking is that I should be able to add a Group to

the Security Filtering Section, to accomplish my goal.

 

Comment2: I did not add the Terminal Server Computer to the OU, as I am

only trying to filter a certain group.

 

Any help would be appreciated.

WilliamS

[Guest Jeff Pitsch]

Re: Terminal Server Laptop Lockdown

 

In our configuration, your only locking down the laptops. if you want to

lock down the users when they are actually on the terminal server, then

create an OU for the terminal server, enable loopback processing, then

create a user gpo at the same OU and filter that by whatever group you want.

This article will explain it:

http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"WilliamS" <WilliamS@discussions.microsoft.com> wrote in message

news:30F23244-8743-40BB-BBCE-E07048AD67D7@microsoft.com...

>I am trying to lock down specific users (laptops) on TS 2003.

> 1. I am using GPM to do this, here is the setup:

> 2. Created an OU called School Laptops

> 3. Created and linked two GPO's withing the OU called LaptopLoopback and

> LaptopSecurity

> 4. In LaptopLoopback set up Computer Configuration/Administrative

> Templates/System/Group Policy: enabled loopback processing mode.

> 5. In LaptopSecurity enabled User Configuration/Administrative

> Templates/Control Panel: disabled access to control panel.

> 6. Added a test user called Buster to Security Filtering for

> LaptopSecurity.

> 7. Logged onto Terminal Server as Buster, but I could access the Control

> Panel.

> 8. Added Authenticated Users to the Security Filtering

> 9. Added Buster directly to the OU in Active Directory.

> 10. Logged on as Buster and was, appropriately, denied access to the

> Control

> Panel.

>

> Comment1: This seems wrong, that I would have to add users directly to the

> OU to make this work. My thinking is that I should be able to add a Group

> to

> the Security Filtering Section, to accomplish my goal.

>

> Comment2: I did not add the Terminal Server Computer to the OU, as I am

> only trying to filter a certain group.

>

> Any help would be appreciated.

> WilliamS

>