Windows NT Lockdown remote user but not local login

  • Thread starter Thread starter bmense@gmail.com
  • Start date Start date
B

bmense@gmail.com

I'm trying to find away to lock down a user when they login through
RDP, but not when they login to there system in the Office.

Currently I've created another user for them to use only when they are
logging in remotely.

Is there another way to create an alias of the original ID?
 
I assume that you have locked down the Terminal Server sessions
with a GPO, correct? And now that GPO also applies when the users
log on to their workstations?
The fix for this is to use "loopback processing" of the GPO.

The basic steps to use a GPO to configure a Terminal Server:

1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option. See:
http://support.microsoft.com/?kbid=231287
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security list of
the GPO
6. add a User group to the security list of the GPO (or keep the
default entry for "Authenticated Users" if you want the settings
in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select "Deny"
for the right to "Apply this policy". See:
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"bmense@gmail.com" <bmense@gmail.com> wrote on 19 jul 2007 in
microsoft.public.windows.terminal_services:

> I'm trying to find away to lock down a user when they login
> through RDP, but not when they login to there system in the
> Office.
>
> Currently I've created another user for them to use only when
> they are logging in remotely.
>
> Is there another way to create an alias of the original ID?
 
You surely use a GPO to lock down the computer? Simply have the GPO
apply to the group "Terminal Server Users" instead of the default
"Authenticated Users".

I hope this helps.

Helge

On 19 Jul., 15:33, "bme...@gmail.com" <bme...@gmail.com> wrote:
> I'm trying to find away to lock down a user when they login through
> RDP, but not when they login to there system in the Office.
>
> Currently I've created another user for them to use only when they are
> logging in remotely.
>
> Is there another way to create an alias of the original ID?
 
I haven't tried this personally, will ADSI extension for Terminal Services
work for you?
Under user account's Terminal Services Profile, there is a per-user property
"Deny this user permissions to logon to Terminal Server":
http://msdn2.microsoft.com/en-us/library/aa380657.aspx

Thanks
Soo Kuan


--
This posting is provided "AS IS" with no warranties, and confers no rights.

<bmense@gmail.com> wrote in message
news:1184852013.131102.138170@z24g2000prh.googlegroups.com...
> I'm trying to find away to lock down a user when they login through
> RDP, but not when they login to there system in the Office.
>
> Currently I've created another user for them to use only when they are
> logging in remotely.
>
> Is there another way to create an alias of the original ID?
>
 
Back
Top