Policy Question

[Guest compsosinc@gmail.com]

We know this is a bad setup but, if a Windows 2003 Domain Controller

is also a Terminal Server what is the recommended way to setup Group

Policy for Groups of users relative to the OU structure? We are more

familiar (but not experts) of setting up a TS when it is a member

server and you move it into its own OU. We have a mix of Thin-clients

and XP Pro workstations that will connect to the DC/TS.

 

So for example, we have the following types of users:

 

1. Remote users using Thin Clients -- located at another office who

need to login to the TS to use (3) applications and have their own

folders on the TS but restricted use otherwise. The Thin-clients have

no local printers. And based on the Thin-client OS we have to let them

use the Internet on the TS.

 

2. Remote users using XP Pro workstations - same as #1, need folders,

but do not need their local environment restricted. Should we just

join them to the domain through the VPN as if they were are the local

LAN??

 

3. Local LAN users -- currently using XP workstations. Usera are

currently setup in their own OUs (SalesOU, AcctOU, etc) for the

purpose of implementing Internet policy. Working well..

 

 

So, in this particular environment, is it best to just create separate

OUs for the (2) types of remote users and move the user accounts into

the respective OU(s) and create a GP linked to them? I do not think we

have a choice here...

 

Secondly, some of the remote users from #1, may login locally (Main

Office) to the Domain from an XP Workstation, not a thin-client. Could

we just setup separate user accounts (different login for local use vs

remote use)?

 

We are in the test lab now but trying to determine the best approach

since we generallly do not move user accounts into OUs. Sounds like we

need to also move the XP computers into the OUs as well?

 

Thanks

[Guest Alice Kupcik [MSFT]]

Re: Policy Question

 

There is no recommended way to use a DC as a Terminal Server for 2 main

reasons:

1.) Performance issues: e.g. the DC and TS will compete for memory

2.) Security reasons: interactive domain controller access should be limited

to only highly trusted users in the Administrator group.

 

--

Alice Kupcik

Program Manager - Microsoft

http://blogs.msdn.com/ts

 

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

<compsosinc@gmail.com> wrote in message

news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...

> We know this is a bad setup but, if a Windows 2003 Domain Controller

> is also a Terminal Server what is the recommended way to setup Group

> Policy for Groups of users relative to the OU structure? We are more

> familiar (but not experts) of setting up a TS when it is a member

> server and you move it into its own OU. We have a mix of Thin-clients

> and XP Pro workstations that will connect to the DC/TS.

>

> So for example, we have the following types of users:

>

> 1. Remote users using Thin Clients -- located at another office who

> need to login to the TS to use (3) applications and have their own

> folders on the TS but restricted use otherwise. The Thin-clients have

> no local printers. And based on the Thin-client OS we have to let them

> use the Internet on the TS.

>

> 2. Remote users using XP Pro workstations - same as #1, need folders,

> but do not need their local environment restricted. Should we just

> join them to the domain through the VPN as if they were are the local

> LAN??

>

> 3. Local LAN users -- currently using XP workstations. Usera are

> currently setup in their own OUs (SalesOU, AcctOU, etc) for the

> purpose of implementing Internet policy. Working well..

>

>

> So, in this particular environment, is it best to just create separate

> OUs for the (2) types of remote users and move the user accounts into

> the respective OU(s) and create a GP linked to them? I do not think we

> have a choice here...

>

> Secondly, some of the remote users from #1, may login locally (Main

> Office) to the Domain from an XP Workstation, not a thin-client. Could

> we just setup separate user accounts (different login for local use vs

> remote use)?

>

> We are in the test lab now but trying to determine the best approach

> since we generallly do not move user accounts into OUs. Sounds like we

> need to also move the XP computers into the OUs as well?

>

> Thanks

[Guest compsosinc@gmail.com]

Re: Policy Question

 

On Feb 26, 7:45 pm, "Alice Kupcik [MSFT]"

<alice.kup...@online.microsoft.com> wrote:

> There is no recommended way to use a DC as a Terminal Server for 2 main

> reasons:

> 1.) Performance issues: e.g. the DC and TS will compete for memory

> 2.) Security reasons: interactive domain controller access should be limited

> to only highly trusted users in the Administrator group.

>

> --

> Alice Kupcik

> Program Manager - Microsofthttp://blogs.msdn.com/ts

>

> This posting is provided "AS IS" with no warranties, and confers no rights..

>

> <compsos...@gmail.com> wrote in message

>

> news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...

>

>

>

> > We know this is a bad setup but, if a Windows 2003 Domain Controller

> > is also a Terminal Server what is the recommended way to setup Group

> > Policy for Groups of users relative to the OU structure? We are more

> > familiar (but not experts) of setting up a TS when it is a member

> > server and you move it into its own OU. We have a mix of Thin-clients

> > and XP Pro workstations that will connect to the DC/TS.

>

> > So for example, we have the following types of users:

>

> > 1. Remote users using Thin Clients -- located at another office who

> > need to login to the TS to use (3) applications and have their own

> > folders on the TS but restricted use otherwise. The Thin-clients have

> > no local printers. And based on the Thin-client OS we have to let them

> > use the Internet on the TS.

>

> > 2. Remote users using XP Pro workstations - same as #1, need folders,

> > but do not need their local environment restricted. Should we just

> > join them to the domain through the VPN as if they were are the local

> > LAN??

>

> > 3. Local LAN users -- currently using XP workstations. Usera are

> > currently setup in their own OUs (SalesOU, AcctOU, etc) for the

> > purpose of implementing Internet policy. Working well..

>

> > So, in this particular environment, is it best to just create separate

> > OUs for the (2) types of remote users and move the user accounts into

> > the respective OU(s) and create a GP linked to them? I do not think we

> > have a choice here...

>

> > Secondly, some of the remote users from #1, may login locally (Main

> > Office) to the Domain from an XP Workstation, not a thin-client. Could

> > we just setup separate user accounts (different login for local use vs

> > remote use)?

>

> > We are in the test lab now but trying to determine the best approach

> > since we generallly do not move user accounts into OUs. Sounds like we

> > need to also move the XP computers into the OUs as well?

>

> > Thanks- Hide quoted text -

>

> - Show quoted text -

 

We know what you are saying, and maybe 'recommended' was the wrong

choice of words. However, can you comment on the OU structure in this

case? Thank you.

[Guest Alice Kupcik [MSFT]]

Re: Policy Question

 

I think that's a better question for the Active Directory/ Domain Controller

newsgroup than for TS:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.active_directory

 

Thx. Alice

 

--

Alice Kupcik

Program Manager - Microsoft

http://blogs.msdn.com/ts

 

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

<compsosinc@gmail.com> wrote in message

news:f5765cc9-99a7-498b-afb3-407048717097@28g2000hsw.googlegroups.com...

On Feb 26, 7:45 pm, "Alice Kupcik [MSFT]"

<alice.kup...@online.microsoft.com> wrote:

> There is no recommended way to use a DC as a Terminal Server for 2 main

> reasons:

> 1.) Performance issues: e.g. the DC and TS will compete for memory

> 2.) Security reasons: interactive domain controller access should be

> limited

> to only highly trusted users in the Administrator group.

>

> --

> Alice Kupcik

> Program Manager - Microsofthttp://blogs.msdn.com/ts

>

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

>

> <compsos...@gmail.com> wrote in message

>

> news:d2ac2782-0041-4d8a-bda3-c7a6d9811473@m23g2000hsc.googlegroups.com...

>

>

>

> > We know this is a bad setup but, if a Windows 2003 Domain Controller

> > is also a Terminal Server what is the recommended way to setup Group

> > Policy for Groups of users relative to the OU structure? We are more

> > familiar (but not experts) of setting up a TS when it is a member

> > server and you move it into its own OU. We have a mix of Thin-clients

> > and XP Pro workstations that will connect to the DC/TS.

>

> > So for example, we have the following types of users:

>

> > 1. Remote users using Thin Clients -- located at another office who

> > need to login to the TS to use (3) applications and have their own

> > folders on the TS but restricted use otherwise. The Thin-clients have

> > no local printers. And based on the Thin-client OS we have to let them

> > use the Internet on the TS.

>

> > 2. Remote users using XP Pro workstations - same as #1, need folders,

> > but do not need their local environment restricted. Should we just

> > join them to the domain through the VPN as if they were are the local

> > LAN??

>

> > 3. Local LAN users -- currently using XP workstations. Usera are

> > currently setup in their own OUs (SalesOU, AcctOU, etc) for the

> > purpose of implementing Internet policy. Working well..

>

> > So, in this particular environment, is it best to just create separate

> > OUs for the (2) types of remote users and move the user accounts into

> > the respective OU(s) and create a GP linked to them? I do not think we

> > have a choice here...

>

> > Secondly, some of the remote users from #1, may login locally (Main

> > Office) to the Domain from an XP Workstation, not a thin-client. Could

> > we just setup separate user accounts (different login for local use vs

> > remote use)?

>

> > We are in the test lab now but trying to determine the best approach

> > since we generallly do not move user accounts into OUs. Sounds like we

> > need to also move the XP computers into the OUs as well?

>

> > Thanks- Hide quoted text -

>

> - Show quoted text -

 

We know what you are saying, and maybe 'recommended' was the wrong

choice of words. However, can you comment on the OU structure in this

case? Thank you.