Newbie Setup Question

  • Thread starter Thread starter compsosinc@gmail.com
  • Start date Start date
C

compsosinc@gmail.com

Guest
We have a SBS2000 (not 2003) server running Active Directory & a
Windows 2003 Server running as a Terminal server. We added (10) new XP
client computers to the AD and (10) generically named users who are
now just members of the "Domain Users" group. This setup for the sole
purpose of the (1) clients/users running one application on the
Terminal Server. It appears that if Active Directory were running on
Windows 2003 Server we could just add the clients to the Remote
Desktop USers group to accomplish some of the things we need to
accomplish. However that group is not available in Windows 2000 AD.

So here is our goal for the (10) new clients:

1. We want every client to have the same TS desktop. It will include
the icon for starting the application and nothing else except the same
program on the Start Menu in case the icon gets deleted. No other
programs should be listed.
2. We do not want the users to have access to a local desktop.
3. We do do want any user to be able to install anything to the TS
from the USB drive or CDROM, but we do not want this hardware
disabled.
4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
want the system to boot and automatically display a customized TS
desktop for each of the (10) systems. If it is preferable/recommended
to have the CTRL+ALT+DEL prompt, we want each client tohave the same
login an go directly to the TS without the user manually launching RDP
connection.
5. We do not want the users to have Internet Access from the TS. We
have read about using the 127.0.0.0.
6. Possibly a mapped drive to the SBS2000 data partition to open
particular shared files in "read only" using a program installed on
the TS.

Can we accomplish all of the above?

Can anyone provide a starting point -thanks. We are currently reading
much material and have a Virtual PC setup with Windows 2003 Servers
only (no 2000 AD) but basically see we need to start with new OU.
 
RE: Newbie Setup Question

1. You can use Group Policy to redirect the desktop, and start menu to read
only directories that you manage.

http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

2. Replace the local OS with a thin-client Linux OS, so it boots directly
to the RDP Client.

http://www.sessioncomputing.com/thin-clients.htm

3. Lock down the file system and use Software Restriction Policies to
restrict what users can do.

http://www.sessioncomputing.com/security.htm


4. See number 2, but do NOT use the same logon for each user or you will
have profile problems.

5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
addresses you need to allow.

6. Use a logon script.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"compsosinc@gmail.com" wrote:

> We have a SBS2000 (not 2003) server running Active Directory & a
> Windows 2003 Server running as a Terminal server. We added (10) new XP
> client computers to the AD and (10) generically named users who are
> now just members of the "Domain Users" group. This setup for the sole
> purpose of the (1) clients/users running one application on the
> Terminal Server. It appears that if Active Directory were running on
> Windows 2003 Server we could just add the clients to the Remote
> Desktop USers group to accomplish some of the things we need to
> accomplish. However that group is not available in Windows 2000 AD.
>
> So here is our goal for the (10) new clients:
>
> 1. We want every client to have the same TS desktop. It will include
> the icon for starting the application and nothing else except the same
> program on the Start Menu in case the icon gets deleted. No other
> programs should be listed.
> 2. We do not want the users to have access to a local desktop.
> 3. We do do want any user to be able to install anything to the TS
> from the USB drive or CDROM, but we do not want this hardware
> disabled.
> 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> want the system to boot and automatically display a customized TS
> desktop for each of the (10) systems. If it is preferable/recommended
> to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> login an go directly to the TS without the user manually launching RDP
> connection.
> 5. We do not want the users to have Internet Access from the TS. We
> have read about using the 127.0.0.0.
> 6. Possibly a mapped drive to the SBS2000 data partition to open
> particular shared files in "read only" using a program installed on
> the TS.
>
> Can we accomplish all of the above?
>
> Can anyone provide a starting point -thanks. We are currently reading
> much material and have a Virtual PC setup with Windows 2003 Servers
> only (no 2000 AD) but basically see we need to start with new OU.
>
 
Re: Newbie Setup Question

On Dec 9, 1:34 pm, Patrick Rouse
<PatrickRo...@discussions.microsoft.com> wrote:
> 1. You can use Group Policy to redirect the desktop, and start menu to read
> only directories that you manage.
>
> http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
>
> 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> to the RDP Client.
>
> http://www.sessioncomputing.com/thin-clients.htm
>
> 3. Lock down the file system and use Software Restriction Policies to
> restrict what users can do.
>
> http://www.sessioncomputing.com/security.htm
>
> 4. See number 2, but do NOT use the same logon for each user or you will
> have profile problems.
>
> 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> addresses you need to allow.
>
> 6. Use a logon script.
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
>
>
> "compsos...@gmail.com" wrote:
> > We have a SBS2000 (not 2003) server running Active Directory & a
> > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > client computers to the AD and (10) generically named users who are
> > now just members of the "Domain Users" group. This setup for the sole
> > purpose of the (1) clients/users running one application on the
> > Terminal Server. It appears that if Active Directory were running on
> > Windows 2003 Server we could just add the clients to the Remote
> > Desktop USers group to accomplish some of the things we need to
> > accomplish. However that group is not available in Windows 2000 AD.
>
> > So here is our goal for the (10) new clients:
>
> > 1. We want every client to have the same TS desktop. It will include
> > the icon for starting the application and nothing else except the same
> > program on the Start Menu in case the icon gets deleted. No other
> > programs should be listed.
> > 2. We do not want the users to have access to a local desktop.
> > 3. We do do want any user to be able to install anything to the TS
> > from the USB drive or CDROM, but we do not want this hardware
> > disabled.
> > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > want the system to boot and automatically display a customized TS
> > desktop for each of the (10) systems. If it is preferable/recommended
> > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > login an go directly to the TS without the user manually launching RDP
> > connection.
> > 5. We do not want the users to have Internet Access from the TS. We
> > have read about using the 127.0.0.0.
> > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > particular shared files in "read only" using a program installed on
> > the TS.
>
> > Can we accomplish all of the above?
>
> > Can anyone provide a starting point -thanks. We are currently reading
> > much material and have a Virtual PC setup with Windows 2003 Servers
> > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
>
> - Show quoted text -

Thank you for replying--- these links look very helpful. With regards
to Question#2 & #4, we have already purchased new XP-based systems--
not thin clients--because in the future we may have to install locally
based programs and wanted to have that option if we needed it. So
changing the local OS & hardware is not an option here.

We have setup (10) separate generically-named user accounts, and
currently they are all members of the "Domain Users" group within the
2000 AD. Are you stating that since we are using XP-based systems,
there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
example, we have in another Windows 2000 based server (unrelated to
this network), set a registry value to automatically login the startup
account when the system boots. Since we have separate user accounts,
can we do this for a domain login with XP? Or is this generally, not a
"best practive" approach? For instance, if we have a hardware/OS
problem and need to login into the system locally for troubleshooting
purposes?

Finally, do we need to make these users members of any other group
other than "Domain Users" in order to meet our goals?

Thank you so much.
 
Re: Newbie Setup Question

You can definitely configure the XP Machines to autologon, then launch the
RDP Client to connect to the TS of your choice. Getting it so the end user
has no access to the local desktop will likely require the purchase of a 3rd
party product to replace the Explorer shell.

Check with triCerat, as I think they make something like this.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"compsosinc@gmail.com" wrote:

> On Dec 9, 1:34 pm, Patrick Rouse
> <PatrickRo...@discussions.microsoft.com> wrote:
> > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > only directories that you manage.
> >
> > http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
> >
> > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > to the RDP Client.
> >
> > http://www.sessioncomputing.com/thin-clients.htm
> >
> > 3. Lock down the file system and use Software Restriction Policies to
> > restrict what users can do.
> >
> > http://www.sessioncomputing.com/security.htm
> >
> > 4. See number 2, but do NOT use the same logon for each user or you will
> > have profile problems.
> >
> > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > addresses you need to allow.
> >
> > 6. Use a logon script.
> >
> > --
> > Patrick C. Rouse
> > Microsoft MVP - Terminal Server
> > Provision Networks VIP
> > Citrix Technology Professional
> > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> >
> >
> > "compsos...@gmail.com" wrote:
> > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > client computers to the AD and (10) generically named users who are
> > > now just members of the "Domain Users" group. This setup for the sole
> > > purpose of the (1) clients/users running one application on the
> > > Terminal Server. It appears that if Active Directory were running on
> > > Windows 2003 Server we could just add the clients to the Remote
> > > Desktop USers group to accomplish some of the things we need to
> > > accomplish. However that group is not available in Windows 2000 AD.
> >
> > > So here is our goal for the (10) new clients:
> >
> > > 1. We want every client to have the same TS desktop. It will include
> > > the icon for starting the application and nothing else except the same
> > > program on the Start Menu in case the icon gets deleted. No other
> > > programs should be listed.
> > > 2. We do not want the users to have access to a local desktop.
> > > 3. We do do want any user to be able to install anything to the TS
> > > from the USB drive or CDROM, but we do not want this hardware
> > > disabled.
> > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > want the system to boot and automatically display a customized TS
> > > desktop for each of the (10) systems. If it is preferable/recommended
> > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > login an go directly to the TS without the user manually launching RDP
> > > connection.
> > > 5. We do not want the users to have Internet Access from the TS. We
> > > have read about using the 127.0.0.0.
> > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > particular shared files in "read only" using a program installed on
> > > the TS.
> >
> > > Can we accomplish all of the above?
> >
> > > Can anyone provide a starting point -thanks. We are currently reading
> > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
> >
> > - Show quoted text -
>
> Thank you for replying--- these links look very helpful. With regards
> to Question#2 & #4, we have already purchased new XP-based systems--
> not thin clients--because in the future we may have to install locally
> based programs and wanted to have that option if we needed it. So
> changing the local OS & hardware is not an option here.
>
> We have setup (10) separate generically-named user accounts, and
> currently they are all members of the "Domain Users" group within the
> 2000 AD. Are you stating that since we are using XP-based systems,
> there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> example, we have in another Windows 2000 based server (unrelated to
> this network), set a registry value to automatically login the startup
> account when the system boots. Since we have separate user accounts,
> can we do this for a domain login with XP? Or is this generally, not a
> "best practive" approach? For instance, if we have a hardware/OS
> problem and need to login into the system locally for troubleshooting
> purposes?
>
> Finally, do we need to make these users members of any other group
> other than "Domain Users" in order to meet our goals?
>
> Thank you so much.
>
 
Re: Newbie Setup Question

On Dec 10, 7:50 am, Patrick Rouse
<PatrickRo...@discussions.microsoft.com> wrote:
> You can definitely configure the XP Machines to autologon, then launch the
> RDP Client to connect to the TS of your choice. Getting it so the end user
> has no access to the local desktop will likely require the purchase of a 3rd
> party product to replace the Explorer shell.
>
> Check with triCerat, as I think they make something like this.
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
>
>
> "compsos...@gmail.com" wrote:
> > On Dec 9, 1:34 pm, Patrick Rouse
> > <PatrickRo...@discussions.microsoft.com> wrote:
> > > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > > only directories that you manage.
>
> > >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
>
> > > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > > to the RDP Client.
>
> > >http://www.sessioncomputing.com/thin-clients.htm
>
> > > 3. Lock down the file system and use Software Restriction Policies to
> > > restrict what users can do.
>
> > >http://www.sessioncomputing.com/security.htm
>
> > > 4. See number 2, but do NOT use the same logon for each user or you will
> > > have profile problems.
>
> > > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > > addresses you need to allow.
>
> > > 6. Use a logon script.
>
> > > --
> > > Patrick C. Rouse
> > > Microsoft MVP - Terminal Server
> > > Provision Networks VIP
> > > Citrix Technology Professional
> > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > "compsos...@gmail.com" wrote:
> > > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > > client computers to the AD and (10) generically named users who are
> > > > now just members of the "Domain Users" group. This setup for the sole
> > > > purpose of the (1) clients/users running one application on the
> > > > Terminal Server. It appears that if Active Directory were running on
> > > > Windows 2003 Server we could just add the clients to the Remote
> > > > Desktop USers group to accomplish some of the things we need to
> > > > accomplish. However that group is not available in Windows 2000 AD.
>
> > > > So here is our goal for the (10) new clients:
>
> > > > 1. We want every client to have the same TS desktop. It will include
> > > > the icon for starting the application and nothing else except the same
> > > > program on the Start Menu in case the icon gets deleted. No other
> > > > programs should be listed.
> > > > 2. We do not want the users to have access to a local desktop.
> > > > 3. We do do want any user to be able to install anything to the TS
> > > > from the USB drive or CDROM, but we do not want this hardware
> > > > disabled.
> > > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > > want the system to boot and automatically display a customized TS
> > > > desktop for each of the (10) systems. If it is preferable/recommended
> > > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > > login an go directly to the TS without the user manually launching RDP
> > > > connection.
> > > > 5. We do not want the users to have Internet Access from the TS. We
> > > > have read about using the 127.0.0.0.
> > > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > > particular shared files in "read only" using a program installed on
> > > > the TS.
>
> > > > Can we accomplish all of the above?
>
> > > > Can anyone provide a starting point -thanks. We are currently reading
> > > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
>
> > > - Show quoted text -
>
> > Thank you for replying--- these links look very helpful. With regards
> > to Question#2 & #4, we have already purchased new XP-based systems--
> > not thin clients--because in the future we may have to install locally
> > based programs and wanted to have that option if we needed it. So
> > changing the local OS & hardware is not an option here.
>
> > We have setup (10) separate generically-named user accounts, and
> > currently they are all members of the "Domain Users" group within the
> > 2000 AD. Are you stating that since we are using XP-based systems,
> > there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> > example, we have in another Windows 2000 based server (unrelated to
> > this network), set a registry value to automatically login the startup
> > account when the system boots. Since we have separate user accounts,
> > can we do this for a domain login with XP? Or is this generally, not a
> > "best practive" approach? For instance, if we have a hardware/OS
> > problem and need to login into the system locally for troubleshooting
> > purposes?
>
> > Finally, do we need to make these users members of any other group
> > other than "Domain Users" in order to meet our goals?
>
> > Thank you so much.- Hide quoted text -
>
> - Show quoted text -

Thanks again -we'll check into that. However, do you know if it is
possible to prevent the user from closing the Remote Desktop
Connection so that they are locked into the TS session? I suppose that
is not a good idea in case they need to reboot the local OS...
 
Re: Newbie Setup Question

If you have SA for XP, you might want to use Windows FLP, which is more
suited for what you are doing that a full blown XP installation.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"compsosinc@gmail.com" wrote:

> On Dec 10, 7:50 am, Patrick Rouse
> <PatrickRo...@discussions.microsoft.com> wrote:
> > You can definitely configure the XP Machines to autologon, then launch the
> > RDP Client to connect to the TS of your choice. Getting it so the end user
> > has no access to the local desktop will likely require the purchase of a 3rd
> > party product to replace the Explorer shell.
> >
> > Check with triCerat, as I think they make something like this.
> >
> > --
> > Patrick C. Rouse
> > Microsoft MVP - Terminal Server
> > Provision Networks VIP
> > Citrix Technology Professional
> > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> >
> >
> > "compsos...@gmail.com" wrote:
> > > On Dec 9, 1:34 pm, Patrick Rouse
> > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > > > only directories that you manage.
> >
> > > >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
> >
> > > > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > > > to the RDP Client.
> >
> > > >http://www.sessioncomputing.com/thin-clients.htm
> >
> > > > 3. Lock down the file system and use Software Restriction Policies to
> > > > restrict what users can do.
> >
> > > >http://www.sessioncomputing.com/security.htm
> >
> > > > 4. See number 2, but do NOT use the same logon for each user or you will
> > > > have profile problems.
> >
> > > > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > > > addresses you need to allow.
> >
> > > > 6. Use a logon script.
> >
> > > > --
> > > > Patrick C. Rouse
> > > > Microsoft MVP - Terminal Server
> > > > Provision Networks VIP
> > > > Citrix Technology Professional
> > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> > > > "compsos...@gmail.com" wrote:
> > > > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > > > client computers to the AD and (10) generically named users who are
> > > > > now just members of the "Domain Users" group. This setup for the sole
> > > > > purpose of the (1) clients/users running one application on the
> > > > > Terminal Server. It appears that if Active Directory were running on
> > > > > Windows 2003 Server we could just add the clients to the Remote
> > > > > Desktop USers group to accomplish some of the things we need to
> > > > > accomplish. However that group is not available in Windows 2000 AD.
> >
> > > > > So here is our goal for the (10) new clients:
> >
> > > > > 1. We want every client to have the same TS desktop. It will include
> > > > > the icon for starting the application and nothing else except the same
> > > > > program on the Start Menu in case the icon gets deleted. No other
> > > > > programs should be listed.
> > > > > 2. We do not want the users to have access to a local desktop.
> > > > > 3. We do do want any user to be able to install anything to the TS
> > > > > from the USB drive or CDROM, but we do not want this hardware
> > > > > disabled.
> > > > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > > > want the system to boot and automatically display a customized TS
> > > > > desktop for each of the (10) systems. If it is preferable/recommended
> > > > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > > > login an go directly to the TS without the user manually launching RDP
> > > > > connection.
> > > > > 5. We do not want the users to have Internet Access from the TS. We
> > > > > have read about using the 127.0.0.0.
> > > > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > > > particular shared files in "read only" using a program installed on
> > > > > the TS.
> >
> > > > > Can we accomplish all of the above?
> >
> > > > > Can anyone provide a starting point -thanks. We are currently reading
> > > > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
> >
> > > > - Show quoted text -
> >
> > > Thank you for replying--- these links look very helpful. With regards
> > > to Question#2 & #4, we have already purchased new XP-based systems--
> > > not thin clients--because in the future we may have to install locally
> > > based programs and wanted to have that option if we needed it. So
> > > changing the local OS & hardware is not an option here.
> >
> > > We have setup (10) separate generically-named user accounts, and
> > > currently they are all members of the "Domain Users" group within the
> > > 2000 AD. Are you stating that since we are using XP-based systems,
> > > there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> > > example, we have in another Windows 2000 based server (unrelated to
> > > this network), set a registry value to automatically login the startup
> > > account when the system boots. Since we have separate user accounts,
> > > can we do this for a domain login with XP? Or is this generally, not a
> > > "best practive" approach? For instance, if we have a hardware/OS
> > > problem and need to login into the system locally for troubleshooting
> > > purposes?
> >
> > > Finally, do we need to make these users members of any other group
> > > other than "Domain Users" in order to meet our goals?
> >
> > > Thank you so much.- Hide quoted text -
> >
> > - Show quoted text -
>
> Thanks again -we'll check into that. However, do you know if it is
> possible to prevent the user from closing the Remote Desktop
> Connection so that they are locked into the TS session? I suppose that
> is not a good idea in case they need to reboot the local OS...
>
 
Re: Newbie Setup Question

On Dec 10, 8:54 am, Patrick Rouse
<PatrickRo...@discussions.microsoft.com> wrote:
> If you have SA for XP, you might want to use Windows FLP, which is more
> suited for what you are doing that a full blown XP installation.
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
>
>
> "compsos...@gmail.com" wrote:
> > On Dec 10, 7:50 am, Patrick Rouse
> > <PatrickRo...@discussions.microsoft.com> wrote:
> > > You can definitely configure the XP Machines to autologon, then launch the
> > > RDP Client to connect to the TS of your choice. Getting it so the end user
> > > has no access to the local desktop will likely require the purchase of a 3rd
> > > party product to replace the Explorer shell.
>
> > > Check with triCerat, as I think they make something like this.
>
> > > --
> > > Patrick C. Rouse
> > > Microsoft MVP - Terminal Server
> > > Provision Networks VIP
> > > Citrix Technology Professional
> > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > "compsos...@gmail.com" wrote:
> > > > On Dec 9, 1:34 pm, Patrick Rouse
> > > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > > > > only directories that you manage.
>
> > > > >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
>
> > > > > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > > > > to the RDP Client.
>
> > > > >http://www.sessioncomputing.com/thin-clients.htm
>
> > > > > 3. Lock down the file system and use Software Restriction Policies to
> > > > > restrict what users can do.
>
> > > > >http://www.sessioncomputing.com/security.htm
>
> > > > > 4. See number 2, but do NOT use the same logon for each user or you will
> > > > > have profile problems.
>
> > > > > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > > > > addresses you need to allow.
>
> > > > > 6. Use a logon script.
>
> > > > > --
> > > > > Patrick C. Rouse
> > > > > Microsoft MVP - Terminal Server
> > > > > Provision Networks VIP
> > > > > Citrix Technology Professional
> > > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > > > "compsos...@gmail.com" wrote:
> > > > > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > > > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > > > > client computers to the AD and (10) generically named users who are
> > > > > > now just members of the "Domain Users" group. This setup for the sole
> > > > > > purpose of the (1) clients/users running one application on the
> > > > > > Terminal Server. It appears that if Active Directory were running on
> > > > > > Windows 2003 Server we could just add the clients to the Remote
> > > > > > Desktop USers group to accomplish some of the things we need to
> > > > > > accomplish. However that group is not available in Windows 2000 AD.
>
> > > > > > So here is our goal for the (10) new clients:
>
> > > > > > 1. We want every client to have the same TS desktop. It will include
> > > > > > the icon for starting the application and nothing else except the same
> > > > > > program on the Start Menu in case the icon gets deleted. No other
> > > > > > programs should be listed.
> > > > > > 2. We do not want the users to have access to a local desktop.
> > > > > > 3. We do do want any user to be able to install anything to the TS
> > > > > > from the USB drive or CDROM, but we do not want this hardware
> > > > > > disabled.
> > > > > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > > > > want the system to boot and automatically display a customized TS
> > > > > > desktop for each of the (10) systems. If it is preferable/recommended
> > > > > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > > > > login an go directly to the TS without the user manually launching RDP
> > > > > > connection.
> > > > > > 5. We do not want the users to have Internet Access from the TS. We
> > > > > > have read about using the 127.0.0.0.
> > > > > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > > > > particular shared files in "read only" using a program installed on
> > > > > > the TS.
>
> > > > > > Can we accomplish all of the above?
>
> > > > > > Can anyone provide a starting point -thanks. We are currently reading
> > > > > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > > > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
>
> > > > > - Show quoted text -
>
> > > > Thank you for replying--- these links look very helpful. With regards
> > > > to Question#2 & #4, we have already purchased new XP-based systems--
> > > > not thin clients--because in the future we may have to install locally
> > > > based programs and wanted to have that option if we needed it. So
> > > > changing the local OS & hardware is not an option here.
>
> > > > We have setup (10) separate generically-named user accounts, and
> > > > currently they are all members of the "Domain Users" group within the
> > > > 2000 AD. Are you stating that since we are using XP-based systems,
> > > > there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> > > > example, we have in another Windows 2000 based server (unrelated to
> > > > this network), set a registry value to automatically login the startup
> > > > account when the system boots. Since we have separate user accounts,
> > > > can we do this for a domain login with XP? Or is this generally, not a
> > > > "best practive" approach? For instance, if we have a hardware/OS
> > > > problem and need to login into the system locally for troubleshooting
> > > > purposes?
>
> > > > Finally, do we need to make these users members of any other group
> > > > other than "Domain Users" in order to meet our goals?
>
> > > > Thank you so much.- Hide quoted text -
>
> > > - Show quoted text -
>
> > Thanks again -we'll check into that. However, do you know if it is
> > possible to prevent the user from closing the Remote Desktop
> > Connection so that they are locked into the TS session? I suppose that
> > is not a good idea in case they need to reboot the local OS...- Hide quoted text -
>
> - Show quoted text -

Hi - regarding Question#1 above. We have read the article. Since all
of the users should have the same desktop(s) both on the TS and
locally (if they get access), shouldn't we use a Mandatory profile
instead of roaming? Or is it not recommended practice to use Mandatory
- and if so, why is that?
 
Re: Newbie Setup Question

Mandatory profiles are great, if you don't have to save any user specific
settings after logoff. If you do, then look at Flex or Roaming Profiles.

--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"compsosinc@gmail.com" wrote:

> On Dec 10, 8:54 am, Patrick Rouse
> <PatrickRo...@discussions.microsoft.com> wrote:
> > If you have SA for XP, you might want to use Windows FLP, which is more
> > suited for what you are doing that a full blown XP installation.
> >
> > --
> > Patrick C. Rouse
> > Microsoft MVP - Terminal Server
> > Provision Networks VIP
> > Citrix Technology Professional
> > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> >
> >
> > "compsos...@gmail.com" wrote:
> > > On Dec 10, 7:50 am, Patrick Rouse
> > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > You can definitely configure the XP Machines to autologon, then launch the
> > > > RDP Client to connect to the TS of your choice. Getting it so the end user
> > > > has no access to the local desktop will likely require the purchase of a 3rd
> > > > party product to replace the Explorer shell.
> >
> > > > Check with triCerat, as I think they make something like this.
> >
> > > > --
> > > > Patrick C. Rouse
> > > > Microsoft MVP - Terminal Server
> > > > Provision Networks VIP
> > > > Citrix Technology Professional
> > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> > > > "compsos...@gmail.com" wrote:
> > > > > On Dec 9, 1:34 pm, Patrick Rouse
> > > > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > > > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > > > > > only directories that you manage.
> >
> > > > > >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
> >
> > > > > > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > > > > > to the RDP Client.
> >
> > > > > >http://www.sessioncomputing.com/thin-clients.htm
> >
> > > > > > 3. Lock down the file system and use Software Restriction Policies to
> > > > > > restrict what users can do.
> >
> > > > > >http://www.sessioncomputing.com/security.htm
> >
> > > > > > 4. See number 2, but do NOT use the same logon for each user or you will
> > > > > > have profile problems.
> >
> > > > > > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > > > > > addresses you need to allow.
> >
> > > > > > 6. Use a logon script.
> >
> > > > > > --
> > > > > > Patrick C. Rouse
> > > > > > Microsoft MVP - Terminal Server
> > > > > > Provision Networks VIP
> > > > > > Citrix Technology Professional
> > > > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
> >
> > > > > > "compsos...@gmail.com" wrote:
> > > > > > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > > > > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > > > > > client computers to the AD and (10) generically named users who are
> > > > > > > now just members of the "Domain Users" group. This setup for the sole
> > > > > > > purpose of the (1) clients/users running one application on the
> > > > > > > Terminal Server. It appears that if Active Directory were running on
> > > > > > > Windows 2003 Server we could just add the clients to the Remote
> > > > > > > Desktop USers group to accomplish some of the things we need to
> > > > > > > accomplish. However that group is not available in Windows 2000 AD.
> >
> > > > > > > So here is our goal for the (10) new clients:
> >
> > > > > > > 1. We want every client to have the same TS desktop. It will include
> > > > > > > the icon for starting the application and nothing else except the same
> > > > > > > program on the Start Menu in case the icon gets deleted. No other
> > > > > > > programs should be listed.
> > > > > > > 2. We do not want the users to have access to a local desktop.
> > > > > > > 3. We do do want any user to be able to install anything to the TS
> > > > > > > from the USB drive or CDROM, but we do not want this hardware
> > > > > > > disabled.
> > > > > > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > > > > > want the system to boot and automatically display a customized TS
> > > > > > > desktop for each of the (10) systems. If it is preferable/recommended
> > > > > > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > > > > > login an go directly to the TS without the user manually launching RDP
> > > > > > > connection.
> > > > > > > 5. We do not want the users to have Internet Access from the TS. We
> > > > > > > have read about using the 127.0.0.0.
> > > > > > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > > > > > particular shared files in "read only" using a program installed on
> > > > > > > the TS.
> >
> > > > > > > Can we accomplish all of the above?
> >
> > > > > > > Can anyone provide a starting point -thanks. We are currently reading
> > > > > > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > > > > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
> >
> > > > > > - Show quoted text -
> >
> > > > > Thank you for replying--- these links look very helpful. With regards
> > > > > to Question#2 & #4, we have already purchased new XP-based systems--
> > > > > not thin clients--because in the future we may have to install locally
> > > > > based programs and wanted to have that option if we needed it. So
> > > > > changing the local OS & hardware is not an option here.
> >
> > > > > We have setup (10) separate generically-named user accounts, and
> > > > > currently they are all members of the "Domain Users" group within the
> > > > > 2000 AD. Are you stating that since we are using XP-based systems,
> > > > > there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> > > > > example, we have in another Windows 2000 based server (unrelated to
> > > > > this network), set a registry value to automatically login the startup
> > > > > account when the system boots. Since we have separate user accounts,
> > > > > can we do this for a domain login with XP? Or is this generally, not a
> > > > > "best practive" approach? For instance, if we have a hardware/OS
> > > > > problem and need to login into the system locally for troubleshooting
> > > > > purposes?
> >
> > > > > Finally, do we need to make these users members of any other group
> > > > > other than "Domain Users" in order to meet our goals?
> >
> > > > > Thank you so much.- Hide quoted text -
> >
> > > > - Show quoted text -
> >
> > > Thanks again -we'll check into that. However, do you know if it is
> > > possible to prevent the user from closing the Remote Desktop
> > > Connection so that they are locked into the TS session? I suppose that
> > > is not a good idea in case they need to reboot the local OS...- Hide quoted text -
> >
> > - Show quoted text -
>
> Hi - regarding Question#1 above. We have read the article. Since all
> of the users should have the same desktop(s) both on the TS and
> locally (if they get access), shouldn't we use a Mandatory profile
> instead of roaming? Or is it not recommended practice to use Mandatory
> - and if so, why is that?
>
 
Re: Newbie Setup Question

On Dec 10, 2:18 pm, Patrick Rouse
<PatrickRo...@discussions.microsoft.com> wrote:
> Mandatory profiles are great, if you don't have to save any user specific
> settings after logoff. If you do, then look at Flex or Roaming Profiles.
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
>
>
> "compsos...@gmail.com" wrote:
> > On Dec 10, 8:54 am, Patrick Rouse
> > <PatrickRo...@discussions.microsoft.com> wrote:
> > > If you have SA for XP, you might want to use Windows FLP, which is more
> > > suited for what you are doing that a full blown XP installation.
>
> > > --
> > > Patrick C. Rouse
> > > Microsoft MVP - Terminal Server
> > > Provision Networks VIP
> > > Citrix Technology Professional
> > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > "compsos...@gmail.com" wrote:
> > > > On Dec 10, 7:50 am, Patrick Rouse
> > > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > > You can definitely configure the XP Machines to autologon, then launch the
> > > > > RDP Client to connect to the TS of your choice. Getting it so the end user
> > > > > has no access to the local desktop will likely require the purchase of a 3rd
> > > > > party product to replace the Explorer shell.
>
> > > > > Check with triCerat, as I think they make something like this.
>
> > > > > --
> > > > > Patrick C. Rouse
> > > > > Microsoft MVP - Terminal Server
> > > > > Provision Networks VIP
> > > > > Citrix Technology Professional
> > > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > > > "compsos...@gmail.com" wrote:
> > > > > > On Dec 9, 1:34 pm, Patrick Rouse
> > > > > > <PatrickRo...@discussions.microsoft.com> wrote:
> > > > > > > 1. You can use Group Policy to redirect the desktop, and start menu to read
> > > > > > > only directories that you manage.
>
> > > > > > >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
>
> > > > > > > 2. Replace the local OS with a thin-client Linux OS, so it boots directly
> > > > > > > to the RDP Client.
>
> > > > > > >http://www.sessioncomputing.com/thin-clients.htm
>
> > > > > > > 3. Lock down the file system and use Software Restriction Policies to
> > > > > > > restrict what users can do.
>
> > > > > > >http://www.sessioncomputing.com/security.htm
>
> > > > > > > 4. See number 2, but do NOT use the same logon for each user or you will
> > > > > > > have profile problems.
>
> > > > > > > 5. Use Group Policy to set a dummy Proxy IP Address, and set exclusions for
> > > > > > > addresses you need to allow.
>
> > > > > > > 6. Use a logon script.
>
> > > > > > > --
> > > > > > > Patrick C. Rouse
> > > > > > > Microsoft MVP - Terminal Server
> > > > > > > Provision Networks VIP
> > > > > > > Citrix Technology Professional
> > > > > > > President - Session Computing Solutions, LLChttp://www.sessioncomputing.com
>
> > > > > > > "compsos...@gmail.com" wrote:
> > > > > > > > We have a SBS2000 (not 2003) server running Active Directory & a
> > > > > > > > Windows 2003 Server running as a Terminal server. We added (10) new XP
> > > > > > > > client computers to the AD and (10) generically named users who are
> > > > > > > > now just members of the "Domain Users" group. This setup for the sole
> > > > > > > > purpose of the (1) clients/users running one application on the
> > > > > > > > Terminal Server. It appears that if Active Directory were running on
> > > > > > > > Windows 2003 Server we could just add the clients to the Remote
> > > > > > > > Desktop USers group to accomplish some of the things we need to
> > > > > > > > accomplish. However that group is not available in Windows 2000 AD.
>
> > > > > > > > So here is our goal for the (10) new clients:
>
> > > > > > > > 1. We want every client to have the same TS desktop. It will include
> > > > > > > > the icon for starting the application and nothing else except the same
> > > > > > > > program on the Start Menu in case the icon gets deleted. No other
> > > > > > > > programs should be listed.
> > > > > > > > 2. We do not want the users to have access to a local desktop.
> > > > > > > > 3. We do do want any user to be able to install anything to the TS
> > > > > > > > from the USB drive or CDROM, but we do not want this hardware
> > > > > > > > disabled.
> > > > > > > > 4. When the systems bootup, we do not want a CTRL+ALT+DEL prompt. We
> > > > > > > > want the system to boot and automatically display a customized TS
> > > > > > > > desktop for each of the (10) systems. If it is preferable/recommended
> > > > > > > > to have the CTRL+ALT+DEL prompt, we want each client tohave the same
> > > > > > > > login an go directly to the TS without the user manually launching RDP
> > > > > > > > connection.
> > > > > > > > 5. We do not want the users to have Internet Access from the TS. We
> > > > > > > > have read about using the 127.0.0.0.
> > > > > > > > 6. Possibly a mapped drive to the SBS2000 data partition to open
> > > > > > > > particular shared files in "read only" using a program installed on
> > > > > > > > the TS.
>
> > > > > > > > Can we accomplish all of the above?
>
> > > > > > > > Can anyone provide a starting point -thanks. We are currently reading
> > > > > > > > much material and have a Virtual PC setup with Windows 2003 Servers
> > > > > > > > only (no 2000 AD) but basically see we need to start with new OU.- Hide quoted text -
>
> > > > > > > - Show quoted text -
>
> > > > > > Thank you for replying--- these links look very helpful. With regards
> > > > > > to Question#2 & #4, we have already purchased new XP-based systems--
> > > > > > not thin clients--because in the future we may have to install locally
> > > > > > based programs and wanted to have that option if we needed it. So
> > > > > > changing the local OS & hardware is not an option here.
>
> > > > > > We have setup (10) separate generically-named user accounts, and
> > > > > > currently they are all members of the "Domain Users" group within the
> > > > > > 2000 AD. Are you stating that since we are using XP-based systems,
> > > > > > there is no way to eliminate the CTRL+ALT+DEL prompt at bootup? For
> > > > > > example, we have in another Windows 2000 based server (unrelated to
> > > > > > this network), set a registry value to automatically login the startup
> > > > > > account when the system boots. Since we have separate user accounts,
> > > > > > can we do this for a domain login with XP? Or is this generally, not a
> > > > > > "best practive" approach? For instance, if we have a hardware/OS
> > > > > > problem and need to login into the system locally for troubleshooting
> > > > > > purposes?
>
> > > > > > Finally, do we need to make these users members of any other group
> > > > > > other than "Domain Users" in order to meet our goals?
>
> > > > > > Thank you so much.- Hide quoted text -
>
> > > > > - Show quoted text -
>
> > > > Thanks again -we'll check into that. However, do you know if it is
> > > > possible to prevent the user from closing the Remote Desktop
> > > > Connection so that they are locked into the TS session? I suppose that
> > > > is not a good idea in case they need to reboot the local OS...- Hide quoted text -
>
> > > - Show quoted text -
>
> > Hi - regarding Question#1 above. We have read the article. Since all
> > of the users should have the same desktop(s) both on the TS and
> > locally (if they get access), shouldn't we use a Mandatory profile
> > instead of roaming? Or is it not recommended practice to use Mandatory
> > - and if so, why is that?- Hide quoted text -
>
> - Show quoted text -

Thanks - we do not have to save any settings after log off.
 
Back
Top