2008 R2 RDSH lockdown with 2003 GP

[brian1336334245]

Can a 2008 R2 RDSH be effectively locked down using the existing server 2003 TS lockdown domain policy? Its the only 2008 server in a 2003 AD.

 

Thanks for any and all help

[ICTCity]

Yes but if you want all the settings available you must raise the domain level to 2008

[brian1336334245]

Does that mean a 2003 GP will apply everything a 2003 GP covers to an R2 box but things that are out of a 2003 GP scope, such as powershell, search etc, are unaffected by a 2003 GP?

 

As an example, set desktop wallpaper is a 2003 GP setting but it doesnt work on R2

[ICTCity]

of course... If you apply a policy from a 2003 server to another server 2008, everything is applied, but the 2003 policy doesn't have all the options that a 2008 can support

[brian1336334245]

I understand now that anything in 2008 that 2003 doesnt cover would be left flapping in the breeze. But 2008 ignores things like enable desktop wallpaper and enable remove all programs from the start menu as two examples. Is there a way to make this work?

[ICTCity]

it's easy. If your policy applies to windows server 2003 it will be applied to 2008 too. If it's for 2008, the 2003 version just ignores this setting. You can check each policy, there's a section called "apply to" under "explanations"

[brian1336334245]

Why then do users not get the specified desktop wallpaper?

 

I dont mean to be daft, but I couldnt find "explanations"/"apply to".

[ICTCity]

Most policies, when opened, have 2 tabs. One is to enable or disable, the other is an explanation and at the end you can should find "applies to ... "

[brian1336334245]

Duh, I was looking in the GPMC. Yes, I know about disabled/enabled/not configured in the policy editor. I setup this R2 GP with the exact same settings as the 2003 AD TS lockdown policy which works on a 2003 TS. The answer to these 2 questions might help to clear things up.

 

1. In the R2 policy, In User config\Desktop\administrative templates\active desktop, the wallpaper settings are the same as in the 2003 TS policy yet there is no wallpaper on the user's desktop. Why?

 

2. The 2003 policy removes 'run' from the start menu and works on 2003 TS and the R2 RDSH. But since 'search' in the start menu is new in 7/2008, it will not be affected by the 2003 policy and will remain, yes?

 

I dont know if this is relevant or not, in the TS users folder where the roaming profiles, nt.dat etc are, for my test user there are two folders: user.domain and user.domain V2. Is the V2 is from logging on to the R2 box with a different (in name) remote desktop policy?

[ICTCity]

1. Try to use a JPG instead of BMP, make sure the path for wallpaper is available and users have rights to read it. If this doesn't help, disable the active desktop and use this ADM file:

 

CLASS USER

CATEGORY "Control Panel\Desktop"
KEYNAME "Control Panel\Desktop"

POLICY "Wallpaper"
PART "Wallpaper"
EDITTEXT
DEFAULT "\\server\Policy\Wallpaper\WALLPAPER.bmp"
VALUENAME "Wallpaper"
END PART
END POLICY

POLICY "WallpaperStyle"
PART "WallpaperStyle"
EDITTEXT
DEFAULT "0"
VALUENAME "WallpaperStyle"
END PART
END POLICY

END CATEGORY

 

2) yes, this is right.

 

V and V2 are only for compatibility with old system (2003). It doesn't matter :)