Running TS on DC

[Guest Guest]

We have a DC that is running terminal services on it. It has to be this way

as the client cant afford two machines to split the roll. we have

implemented loop back policy (ts-computer) and user policy (ts-user) in

group policy management to lock the users down with great effect.

 

we have made changes to the secpol.msc "allow login through terminal

services" to enable user account to login to the Dc/terminal server.

 

Everything works well on this server when logging in as a user (ms office,

accounting software, lob app, printing etc) except for IE 7.x which refuses

to run javascript (bank site pop up windows for example) when logged in as

administrator, there are no issues with IE 7.

 

we have disaabled the custom gpo's so that they dont interfere with the

default user rights and this has no effect. we also created a new OU (under

the domain OU) and this also had no effect.

 

we have spent ages modifying gpo settings for IE (lowering all the security

settings. basically enable to everything to the point where IE says its not

safe...) and it makes no difference.

 

is the issue likly to be the propogation of the DC gpo to our cutom gpo's/OU

?

 

whats the best way to approach running ts on a single server for a whole

office and still be able to lock the users down so they dont vandalise the

system with out the expence of a second server to be the DC.

 

charles.

[Guest Jeff]

RE: Running TS on DC

 

Just an idea, but create a GPO that will apply to the server:

 

User Configuration - Windows Settings - Internet Explorer Maintenance -

Security - Security Zones and Content Ratings

 

You can make adjustments to what is allowed for Internet Zones on Custom

Levels for what is allowed and what is not, it will also allow you to add

entries to Trusted Zones, etc. Look through all of those settings and you

can force the same settings to all that logs into it. I had to add our banks

cash management web app to this GPO to apply to all users logged in and it

works great.

 

Must make sure Internet Explorer Enhanced Security Configuration is

uninstalled or the settings will not be applied.

 

 

"mouse" wrote:

> We have a DC that is running terminal services on it. It has to be this way

> as the client cant afford two machines to split the roll. we have

> implemented loop back policy (ts-computer) and user policy (ts-user) in

> group policy management to lock the users down with great effect.

>

> we have made changes to the secpol.msc "allow login through terminal

> services" to enable user account to login to the Dc/terminal server.

>

> Everything works well on this server when logging in as a user (ms office,

> accounting software, lob app, printing etc) except for IE 7.x which refuses

> to run javascript (bank site pop up windows for example) when logged in as

> administrator, there are no issues with IE 7.

>

> we have disaabled the custom gpo's so that they dont interfere with the

> default user rights and this has no effect. we also created a new OU (under

> the domain OU) and this also had no effect.

>

> we have spent ages modifying gpo settings for IE (lowering all the security

> settings. basically enable to everything to the point where IE says its not

> safe...) and it makes no difference.

>

> is the issue likly to be the propogation of the DC gpo to our cutom gpo's/OU

> ?

>

> whats the best way to approach running ts on a single server for a whole

> office and still be able to lock the users down so they dont vandalise the

> system with out the expence of a second server to be the DC.

>

> charles.

>

>

>

>

>

>

>

[Guest Vera Noest [MVP]]

RE: Running TS on DC

 

Have you searched the KB?

This article is just the latest I remembered seeing, there might be

more:

 

941001 - The "Intranet Sites: Include all local (intranet) sites

not listed in other zones" policy setting does not function as

expected in Internet Explorer 7

http://support.microsoft.com/?kbid=941001

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on 12

feb 2008 in microsoft.public.windows.terminal_services:

> Just an idea, but create a GPO that will apply to the server:

>

> User Configuration - Windows Settings - Internet Explorer

> Maintenance - Security - Security Zones and Content Ratings

>

> You can make adjustments to what is allowed for Internet Zones

> on Custom Levels for what is allowed and what is not, it will

> also allow you to add entries to Trusted Zones, etc. Look

> through all of those settings and you can force the same

> settings to all that logs into it. I had to add our banks cash

> management web app to this GPO to apply to all users logged in

> and it works great.

>

> Must make sure Internet Explorer Enhanced Security Configuration

> is uninstalled or the settings will not be applied.

>

>

> "mouse" wrote:

>

>> We have a DC that is running terminal services on it. It has to

>> be this way as the client cant afford two machines to split the

>> roll. we have implemented loop back policy (ts-computer) and

>> user policy (ts-user) in group policy management to lock the

>> users down with great effect.

>>

>> we have made changes to the secpol.msc "allow login through

>> terminal services" to enable user account to login to the

>> Dc/terminal server.

>>

>> Everything works well on this server when logging in as a user

>> (ms office, accounting software, lob app, printing etc) except

>> for IE 7.x which refuses to run javascript (bank site pop up

>> windows for example) when logged in as administrator, there are

>> no issues with IE 7.

>>

>> we have disaabled the custom gpo's so that they dont interfere

>> with the default user rights and this has no effect. we also

>> created a new OU (under the domain OU) and this also had no

>> effect.

>>

>> we have spent ages modifying gpo settings for IE (lowering all

>> the security settings. basically enable to everything to the

>> point where IE says its not safe...) and it makes no

>> difference.

>>

>> is the issue likly to be the propogation of the DC gpo to our

>> cutom gpo's/OU ?

>>

>> whats the best way to approach running ts on a single server

>> for a whole office and still be able to lock the users down so

>> they dont vandalise the system with out the expence of a second

>> server to be the DC.

>>

>> charles.

[Guest Karl]

RE: Running TS on DC

 

I am in the exact same boat. All Java works even when I start IE7 using "run

as" with and administrator account. Does not work no matter what settings I

use on a standard user account. Installed Firefox and all JavaScript works

fine for standard user. I have tried everything I can find on IE7 Enhanced

Security settings (which is uninstalled for admins and users), Registry

Settings, Lowered all security zones to lowest settings, etc. Even

temporarily gave the standard user accounts "full" privs to the entire c:\

drive of the term server hoping it might be a file/folder rights issue.

Nothing works.

 

If someone finds an answer it would be most helpful. In the meantime we will

be using Firefox.

 

"mouse" wrote:

> Everything works well on this server when logging in as a user (ms office,

> accounting software, lob app, printing etc) except for IE 7.x which refuses

> to run javascript (bank site pop up windows for example) when logged in as

> administrator, there are no issues with IE 7.