TS, GPO, diffent users

[Guest Hugh O'Donnell]

I have:

1. Set up a server for Remote Desktop access.

2. Created a Security Group (acct_users) and only allow them to access this

TS.

3. Created OU for server (term_server) and linked GPO with loopback on it.

4. Set default application for TS via the GPO.

5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.

 

My problem is,

1. When a Domain Admin TS's into this machine, they still run the default

app. (I'm sure this is because the loopback doesn't look at what user is

being run... but how do I implement this?)

2. Users can still jack around with the local drives from the application's

"Save As" dialog. Is there a way to keep them out of the local C & D drive

and still have the application run properly?

 

Can someone tell me the best way to implement this? I was thinking maybe

just a normal GPO that is applied only on the term_server machine by the

certain users. Will this work?

 

I want to make clear that these users also have access to their own

machines, which is completely acceptable. In other words, Joe Blow should

be able to still have his current rights on his own machine, but when

remoted into the term_server, I want to: limit where they can go, force

them to run a single app, etc.

 

Thank You,

 

Hugh

[Guest Vera Noest [MVP]]

Re: TS, GPO, diffent users

 

The policy setting

"Start a program on connection" exists in both the Computer

Configuration and the User Configuration node of the GPO. It sounds

as if you have enabled it in the Computer Configuration, which

means that it is applied to all users.

If you instead configure the setting in the User Configuration

node, then the security filtering should ensure that your Domain

Admins don't apply the (user part of the) GPO and thus don't run

the application.

 

You can further lock down your TS with the policy setting:

User Configuration - Administrative templates - Windows components

- Windows Explorer

"Hide these specified drives in My Computer"

 

and don't forget NTFS permissions on the file system (because the

"hide drives" setting is just cosmetic, it is trivial to get to

those drives anyway, despite the GPO setting).

 

More lock down settings can be found here:

 

278295 - How to lock down a Windows Server 2003 or Windows 2000

Terminal Server session

http://support.microsoft.com/?kbid=278295

 

Windows Server 2003 Terminal Server Security White Paper

http://www.microsoft.com/downloads/details.aspx?FamilyID=402A0CD1-

9E4D-4007-8EAF-C30623E71250&displaylang=en

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Hugh O'Donnell" <none@nowhere.com> wrote on 18 jul 2007 in

microsoft.public.windows.terminal_services:

> I have:

> 1. Set up a server for Remote Desktop access.

> 2. Created a Security Group (acct_users) and only allow them to

> access this TS.

> 3. Created OU for server (term_server) and linked GPO with

> loopback on it.

> 4. Set default application for TS via the GPO.

> 5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.

>

> My problem is,

> 1. When a Domain Admin TS's into this machine, they still run

> the default app. (I'm sure this is because the loopback doesn't

> look at what user is being run... but how do I implement this?)

> 2. Users can still jack around with the local drives from the

> application's "Save As" dialog. Is there a way to keep them out

> of the local C & D drive and still have the application run

> properly?

>

> Can someone tell me the best way to implement this? I was

> thinking maybe just a normal GPO that is applied only on the

> term_server machine by the certain users. Will this work?

>

> I want to make clear that these users also have access to their

> own machines, which is completely acceptable. In other words,

> Joe Blow should be able to still have his current rights on his

> own machine, but when remoted into the term_server, I want to:

> limit where they can go, force them to run a single app, etc.

>

> Thank You,

>

> Hugh

[Guest Hugh O'Donnell]

Running Program for Certain Users

 

Running Program for Certain Users

 

I moved the "Start a program on connection" from the Computer config to

the User config, but now the user does not run that program.

 

I ran the GP Modeling Wizard, and it shows the setting for that user on

the Terminal Server.

 

Here is the info I have in the Group Policy:

-=-=-=-

Terminal Servers Loopback Policy

Data collected on: 7/18/2007 4:39:56 PM

 

General

Details

Domain MyDomain.local

Owner MyDomain\Domain Admins

Created 7/2/2007 4:37:26 PM

Modified 7/18/2007 4:37:32 PM

User Revisions 3 (AD), 3 (sysvol)

Computer Revisions 9 (AD), 9 (sysvol)

GPO Status Enabled

 

Links

Location Enforced Link Status Path

Terminal Servers Yes Enabled MyDomain.local/MyBusiness/Terminal Servers

 

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users,

and computers:Name

MyDomain\Accounting Users

 

WMI Filtering

WMI Filter Name None

Description Not applicable

 

Delegation

These groups and users have the specified permission for this GPOName

Allowed Permissions Inherited

MyDomain\Accounting Users Read (from Security Filtering) No

MyDomain\Domain Admins Custom No

MyDomain\Enterprise Admins Custom No

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No

NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

 

Computer Configuration (Enabled)

No settings defined.

User Configuration (Enabled)

Administrative Templates

System/Ctrl+Alt+Del Options

Policy Setting

Remove Task Manager Enabled

 

Windows Components/Terminal Services

Policy Setting

Start a program on connection Enabled

Program path and file name "D:\Program Files\Viewpoint

\VPClientMenu.exe" Viewpoint

Working Directory D:\Program Files\Viewpoint

 

 

Windows Components/Windows Explorer

Policy Setting

Hide these specified drives in My Computer Enabled

Pick one of the following combinations Restrict all drives

[Guest Vera Noest [MVP]]

Re: Running Program for Certain Users

 

Re: Running Program for Certain Users

 

According to:

> Computer Configuration (Enabled)

> No settings defined.

loopback processing isn't configured, which explains why the users

don't start the application on logon.

 

That's done in:

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Hugh O'Donnell" <no_spam_for_me@nowhere.com> wrote on 19 jul 2007

in microsoft.public.windows.terminal_services:

> I moved the "Start a program on connection" from the Computer

> config to the User config, but now the user does not run that

> program.

>

> I ran the GP Modeling Wizard, and it shows the setting for that

> user on the Terminal Server.

>

> Here is the info I have in the Group Policy:

> -=-=-=-

> Terminal Servers Loopback Policy

> Data collected on: 7/18/2007 4:39:56 PM

>

> General

> Details

> Domain MyDomain.local

> Owner MyDomain\Domain Admins

> Created 7/2/2007 4:37:26 PM

> Modified 7/18/2007 4:37:32 PM

> User Revisions 3 (AD), 3 (sysvol)

> Computer Revisions 9 (AD), 9 (sysvol)

> GPO Status Enabled

>

> Links

> Location Enforced Link Status Path

> Terminal Servers Yes Enabled MyDomain.local/MyBusiness/Terminal

> Servers

>

> This list only includes links in the domain of the GPO.

> Security Filtering

> The settings in this GPO can only apply to the following groups,

> users, and computers:Name

> MyDomain\Accounting Users

>

> WMI Filtering

> WMI Filter Name None

> Description Not applicable

>

> Delegation

> These groups and users have the specified permission for this

> GPOName Allowed Permissions Inherited

> MyDomain\Accounting Users Read (from Security Filtering) No

> MyDomain\Domain Admins Custom No

> MyDomain\Enterprise Admins Custom No

> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No

> NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

>

> Computer Configuration (Enabled)

> No settings defined.

> User Configuration (Enabled)

> Administrative Templates

> System/Ctrl+Alt+Del Options

> Policy Setting

> Remove Task Manager Enabled

>

> Windows Components/Terminal Services

> Policy Setting

> Start a program on connection Enabled

> Program path and file name "D:\Program Files\Viewpoint

> \VPClientMenu.exe" Viewpoint

> Working Directory D:\Program Files\Viewpoint

>

>

> Windows Components/Windows Explorer

> Policy Setting

> Hide these specified drives in My Computer Enabled

> Pick one of the following combinations Restrict all drives

[Guest Hugh O'Donnell]

Re: Running Program for Certain Users

 

Re: Running Program for Certain Users

 

I should have mentioned that I tried having the loopback processing on and

off... with same results. Each time I changed it, I did a "gpupdate

/force" on the terminal server and then logged off and back on.

 

What else could be keeping this from happening?

 

"Vera Noest [MVP]" wrote:

> According to:

>> Computer Configuration (Enabled)

>> No settings defined.

> loopback processing isn't configured, which explains why the users

> don't start the application on logon.

>

> That's done in:

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - "Replace"

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

[Guest Vera Noest [MVP]]

Re: Running Program for Certain Users

 

Re: Running Program for Certain Users

 

Have you verified that the GPO is indeed applied and not

overwritten? Use Resultant Set of Policies to test.

And is the Terminal Server machine account on the Applies to list

of the GPO, since you've removed the Authenticated Users group?

(if I recall correctly, I don't see old posts, and the first posts

aren't quoted anymore).

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Hugh O'Donnell" <no_spam_for_me@nowhere.com> wrote on 19 jul 2007

in microsoft.public.windows.terminal_services:

> I should have mentioned that I tried having the loopback

> processing on and off... with same results. Each time I changed

> it, I did a "gpupdate /force" on the terminal server and then

> logged off and back on.

>

> What else could be keeping this from happening?

>

> "Vera Noest [MVP]" wrote:

>

>> According to:

>>> Computer Configuration (Enabled)

>>> No settings defined.

>> loopback processing isn't configured, which explains why the

>> users don't start the application on logon.

>>

>> That's done in:

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - "Replace"

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___