General discussion


Terminal Server and Client -Group Policy

By ITTech2 ·
I have a question in which I hope you can help me:

I have a W2k Server running Terminal Services. (Service
Pack 3)

I have users who use just a thin client to connect, and have grouped them with a policy so that they can't do specific things such as access the tserver's c: drive,

I also have a group of users who use a PC and sometimes connect via the Tserver to do things. HOwever, if I put these people in the same group policy, then when they are local on their pc, they are restricted as well.

What is the best thing to do so that I have a dual affect for the pc users. When their connected, they are restricted, but when their local, they are not restricted.

Thanks for any advice or help.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Terminal Server and Client -Group Policy

by timwalsh In reply to Terminal Server and Clien ...

The basic problem is that when these users are connected via TS, the TS server is considered the local machine. Thus any policy that restricts access to "C on the local computer" WILL affect these users even when not accessing the TS server (as you have discovered).

What I would suggest doing is instead of applying a policy against these users, create a separate group to place these users in. Then just set whatever access limitations you want for these users in the Security settings ofthe drive on the TS Server. This will have the effect of limiting these user's access to the drive (no matter how they access the TS server, but still allow access to their "true" local drives.

Hope this helps.

Collapse -

Terminal Server and Client -Group Policy

by ITTech2 In reply to Terminal Server and Clien ...

Unfortunately by doing this, it also opens the user up to accessing applications on the Tserver that I don't want them to have access to.

Collapse -

Terminal Server and Client -Group Policy

by ewgny In reply to Terminal Server and Clien ...

The best solution I have found is to create seperate user accounts for accessing the terminal server. Place these users in their own "Terminal Server" OU. Now these users can have a very restricted group policy to prevent them from messing with yourserver. The advantage is that it won't interfere with the users normal user account which may require different group policies.
When setting up the client set it up with the the new Terminal Server user account you just created. They won't even know they are accessing with a different logon. If they are using just one app configure the session to launch in full screen mode as well as to launch the app upon logon. When the finish the session they will be returned to their desktop, never even seeing the desktop of the terminal server. The other advantage to this method is that the profile of the new terminal server user will always remain small and efficient loading on the terminal server, since the user would never have the chance to modify it. It could also be made mandatory

Related Discussions

Related Forums