Windows NT TS, GPO, diffent users

[Hugh O'Donnell]

I have:
1. Set up a server for Remote Desktop access.
2. Created a Security Group (acct_users) and only allow them to access this
TS.
3. Created OU for server (term_server) and linked GPO with loopback on it.
4. Set default application for TS via the GPO.
5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.

My problem is,
1. When a Domain Admin TS's into this machine, they still run the default
app. (I'm sure this is because the loopback doesn't look at what user is
being run... but how do I implement this?)
2. Users can still jack around with the local drives from the application's
"Save As" dialog. Is there a way to keep them out of the local C & D drive
and still have the application run properly?

Can someone tell me the best way to implement this? I was thinking maybe
just a normal GPO that is applied only on the term_server machine by the
certain users. Will this work?

I want to make clear that these users also have access to their own
machines, which is completely acceptable. In other words, Joe Blow should
be able to still have his current rights on his own machine, but when
remoted into the term_server, I want to: limit where they can go, force
them to run a single app, etc.

Thank You,

Hugh

 

[Vera Noest [MVP]]

The policy setting
"Start a program on connection" exists in both the Computer
Configuration and the User Configuration node of the GPO. It sounds
as if you have enabled it in the Computer Configuration, which
means that it is applied to all users.
If you instead configure the setting in the User Configuration
node, then the security filtering should ensure that your Domain
Admins don't apply the (user part of the) GPO and thus don't run
the application.

You can further lock down your TS with the policy setting:
User Configuration - Administrative templates - Windows components
- Windows Explorer
"Hide these specified drives in My Computer"

and don't forget NTFS permissions on the file system (because the
"hide drives" setting is just cosmetic, it is trivial to get to
those drives anyway, despite the GPO setting).

More lock down settings can be found here:

278295 - How to lock down a Windows Server 2003 or Windows 2000
Terminal Server session
http://support.microsoft.com/?kbid=278295

Windows Server 2003 Terminal Server Security White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyID=402A0CD1-
9E4D-4007-8EAF-C30623E71250&displaylang=en
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Hugh O'Donnell" <none@nowhere.com> wrote on 18 jul 2007 in
microsoft.public.windows.terminal_services:

> I have:
> 1. Set up a server for Remote Desktop access.
> 2. Created a Security Group (acct_users) and only allow them to
> access this TS.
> 3. Created OU for server (term_server) and linked GPO with
> loopback on it.
> 4. Set default application for TS via the GPO.
> 5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.
>
> My problem is,
> 1. When a Domain Admin TS's into this machine, they still run
> the default app. (I'm sure this is because the loopback doesn't
> look at what user is being run... but how do I implement this?)
> 2. Users can still jack around with the local drives from the
> application's "Save As" dialog. Is there a way to keep them out
> of the local C & D drive and still have the application run
> properly?
>
> Can someone tell me the best way to implement this? I was
> thinking maybe just a normal GPO that is applied only on the
> term_server machine by the certain users. Will this work?
>
> I want to make clear that these users also have access to their
> own machines, which is completely acceptable. In other words,
> Joe Blow should be able to still have his current rights on his
> own machine, but when remoted into the term_server, I want to:
> limit where they can go, force them to run a single app, etc.
>
> Thank You,
>
> Hugh

 

[Hugh O'Donnell]

Running Program for Certain Users

I moved the "Start a program on connection" from the Computer config to
the User config, but now the user does not run that program.

I ran the GP Modeling Wizard, and it shows the setting for that user on
the Terminal Server.

Here is the info I have in the Group Policy:
-=-=-=-
Terminal Servers Loopback Policy
Data collected on: 7/18/2007 4:39:56 PM

General
Details
Domain MyDomain.local
Owner MyDomain\Domain Admins
Created 7/2/2007 4:37:26 PM
Modified 7/18/2007 4:37:32 PM
User Revisions 3 (AD), 3 (sysvol)
Computer Revisions 9 (AD), 9 (sysvol)
GPO Status Enabled

Links
Location Enforced Link Status Path
Terminal Servers Yes Enabled MyDomain.local/MyBusiness/Terminal Servers

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:Name
MyDomain\Accounting Users

WMI Filtering
WMI Filter Name None
Description Not applicable

Delegation
These groups and users have the specified permission for this GPOName
Allowed Permissions Inherited
MyDomain\Accounting Users Read (from Security Filtering) No
MyDomain\Domain Admins Custom No
MyDomain\Enterprise Admins Custom No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

Computer Configuration (Enabled)
No settings defined.
User Configuration (Enabled)
Administrative Templates
System/Ctrl+Alt+Del Options
Policy Setting
Remove Task Manager Enabled

Windows Components/Terminal Services
Policy Setting
Start a program on connection Enabled
Program path and file name "D:\Program Files\Viewpoint
\VPClientMenu.exe" Viewpoint
Working Directory D:\Program Files\Viewpoint


Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict all drives

 

[Vera Noest [MVP]]

Re: Running Program for Certain Users

According to:
> Computer Configuration (Enabled)
> No settings defined.
loopback processing isn't configured, which explains why the users
don't start the application on logon.

That's done in:
Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - "Replace"
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Hugh O'Donnell" <no_spam_for_me@nowhere.com> wrote on 19 jul 2007
in microsoft.public.windows.terminal_services:

> I moved the "Start a program on connection" from the Computer
> config to the User config, but now the user does not run that
> program.
>
> I ran the GP Modeling Wizard, and it shows the setting for that
> user on the Terminal Server.
>
> Here is the info I have in the Group Policy:
> -=-=-=-
> Terminal Servers Loopback Policy
> Data collected on: 7/18/2007 4:39:56 PM
>
> General
> Details
> Domain MyDomain.local
> Owner MyDomain\Domain Admins
> Created 7/2/2007 4:37:26 PM
> Modified 7/18/2007 4:37:32 PM
> User Revisions 3 (AD), 3 (sysvol)
> Computer Revisions 9 (AD), 9 (sysvol)
> GPO Status Enabled
>
> Links
> Location Enforced Link Status Path
> Terminal Servers Yes Enabled MyDomain.local/MyBusiness/Terminal
> Servers
>
> This list only includes links in the domain of the GPO.
> Security Filtering
> The settings in this GPO can only apply to the following groups,
> users, and computers:Name
> MyDomain\Accounting Users
>
> WMI Filtering
> WMI Filter Name None
> Description Not applicable
>
> Delegation
> These groups and users have the specified permission for this
> GPOName Allowed Permissions Inherited
> MyDomain\Accounting Users Read (from Security Filtering) No
> MyDomain\Domain Admins Custom No
> MyDomain\Enterprise Admins Custom No
> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
> NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
>
> Computer Configuration (Enabled)
> No settings defined.
> User Configuration (Enabled)
> Administrative Templates
> System/Ctrl+Alt+Del Options
> Policy Setting
> Remove Task Manager Enabled
>
> Windows Components/Terminal Services
> Policy Setting
> Start a program on connection Enabled
> Program path and file name "D:\Program Files\Viewpoint
> \VPClientMenu.exe" Viewpoint
> Working Directory D:\Program Files\Viewpoint
>
>
> Windows Components/Windows Explorer
> Policy Setting
> Hide these specified drives in My Computer Enabled
> Pick one of the following combinations Restrict all drives

 

[Hugh O'Donnell]

Re: Running Program for Certain Users

I should have mentioned that I tried having the loopback processing on and
off... with same results. Each time I changed it, I did a "gpupdate
/force" on the terminal server and then logged off and back on.

What else could be keeping this from happening?

"Vera Noest [MVP]" wrote:

> According to:
>> Computer Configuration (Enabled)
>> No settings defined.
> loopback processing isn't configured, which explains why the users
> don't start the application on logon.
>
> That's done in:
> Computer Configuration - Administrative Templates - System - Group
> Policy
> "User Group Policy loopback processing mode" - "Replace"
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___

 

[Vera Noest [MVP]]

Re: Running Program for Certain Users

Have you verified that the GPO is indeed applied and not
overwritten? Use Resultant Set of Policies to test.
And is the Terminal Server machine account on the Applies to list
of the GPO, since you've removed the Authenticated Users group?
(if I recall correctly, I don't see old posts, and the first posts
aren't quoted anymore).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Hugh O'Donnell" <no_spam_for_me@nowhere.com> wrote on 19 jul 2007
in microsoft.public.windows.terminal_services:

> I should have mentioned that I tried having the loopback
> processing on and off... with same results. Each time I changed
> it, I did a "gpupdate /force" on the terminal server and then
> logged off and back on.
>
> What else could be keeping this from happening?
>
> "Vera Noest [MVP]" wrote:
>
>> According to:
>>> Computer Configuration (Enabled)
>>> No settings defined.
>> loopback processing isn't configured, which explains why the
>> users don't start the application on logon.
>>
>> That's done in:
>> Computer Configuration - Administrative Templates - System -
>> Group Policy
>> "User Group Policy loopback processing mode" - "Replace"
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___