Running TS on DC

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Guest
We have a DC that is running terminal services on it. It has to be this way
as the client cant afford two machines to split the roll. we have
implemented loop back policy (ts-computer) and user policy (ts-user) in
group policy management to lock the users down with great effect.

we have made changes to the secpol.msc "allow login through terminal
services" to enable user account to login to the Dc/terminal server.

Everything works well on this server when logging in as a user (ms office,
accounting software, lob app, printing etc) except for IE 7.x which refuses
to run javascript (bank site pop up windows for example) when logged in as
administrator, there are no issues with IE 7.

we have disaabled the custom gpo's so that they dont interfere with the
default user rights and this has no effect. we also created a new OU (under
the domain OU) and this also had no effect.

we have spent ages modifying gpo settings for IE (lowering all the security
settings. basically enable to everything to the point where IE says its not
safe...) and it makes no difference.

is the issue likly to be the propogation of the DC gpo to our cutom gpo's/OU
?

whats the best way to approach running ts on a single server for a whole
office and still be able to lock the users down so they dont vandalise the
system with out the expence of a second server to be the DC.

charles.
 
RE: Running TS on DC

Just an idea, but create a GPO that will apply to the server:

User Configuration - Windows Settings - Internet Explorer Maintenance -
Security - Security Zones and Content Ratings

You can make adjustments to what is allowed for Internet Zones on Custom
Levels for what is allowed and what is not, it will also allow you to add
entries to Trusted Zones, etc. Look through all of those settings and you
can force the same settings to all that logs into it. I had to add our banks
cash management web app to this GPO to apply to all users logged in and it
works great.

Must make sure Internet Explorer Enhanced Security Configuration is
uninstalled or the settings will not be applied.


"mouse" wrote:

> We have a DC that is running terminal services on it. It has to be this way
> as the client cant afford two machines to split the roll. we have
> implemented loop back policy (ts-computer) and user policy (ts-user) in
> group policy management to lock the users down with great effect.
>
> we have made changes to the secpol.msc "allow login through terminal
> services" to enable user account to login to the Dc/terminal server.
>
> Everything works well on this server when logging in as a user (ms office,
> accounting software, lob app, printing etc) except for IE 7.x which refuses
> to run javascript (bank site pop up windows for example) when logged in as
> administrator, there are no issues with IE 7.
>
> we have disaabled the custom gpo's so that they dont interfere with the
> default user rights and this has no effect. we also created a new OU (under
> the domain OU) and this also had no effect.
>
> we have spent ages modifying gpo settings for IE (lowering all the security
> settings. basically enable to everything to the point where IE says its not
> safe...) and it makes no difference.
>
> is the issue likly to be the propogation of the DC gpo to our cutom gpo's/OU
> ?
>
> whats the best way to approach running ts on a single server for a whole
> office and still be able to lock the users down so they dont vandalise the
> system with out the expence of a second server to be the DC.
>
> charles.
>
>
>
>
>
>
>
 
RE: Running TS on DC

Have you searched the KB?
This article is just the latest I remembered seeing, there might be
more:

941001 - The "Intranet Sites: Include all local (intranet) sites
not listed in other zones" policy setting does not function as
expected in Internet Explorer 7
http://support.microsoft.com/?kbid=941001
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?SmVmZg==?= <Jeff@discussions.microsoft.com> wrote on 12
feb 2008 in microsoft.public.windows.terminal_services:

> Just an idea, but create a GPO that will apply to the server:
>
> User Configuration - Windows Settings - Internet Explorer
> Maintenance - Security - Security Zones and Content Ratings
>
> You can make adjustments to what is allowed for Internet Zones
> on Custom Levels for what is allowed and what is not, it will
> also allow you to add entries to Trusted Zones, etc. Look
> through all of those settings and you can force the same
> settings to all that logs into it. I had to add our banks cash
> management web app to this GPO to apply to all users logged in
> and it works great.
>
> Must make sure Internet Explorer Enhanced Security Configuration
> is uninstalled or the settings will not be applied.
>
>
> "mouse" wrote:
>
>> We have a DC that is running terminal services on it. It has to
>> be this way as the client cant afford two machines to split the
>> roll. we have implemented loop back policy (ts-computer) and
>> user policy (ts-user) in group policy management to lock the
>> users down with great effect.
>>
>> we have made changes to the secpol.msc "allow login through
>> terminal services" to enable user account to login to the
>> Dc/terminal server.
>>
>> Everything works well on this server when logging in as a user
>> (ms office, accounting software, lob app, printing etc) except
>> for IE 7.x which refuses to run javascript (bank site pop up
>> windows for example) when logged in as administrator, there are
>> no issues with IE 7.
>>
>> we have disaabled the custom gpo's so that they dont interfere
>> with the default user rights and this has no effect. we also
>> created a new OU (under the domain OU) and this also had no
>> effect.
>>
>> we have spent ages modifying gpo settings for IE (lowering all
>> the security settings. basically enable to everything to the
>> point where IE says its not safe...) and it makes no
>> difference.
>>
>> is the issue likly to be the propogation of the DC gpo to our
>> cutom gpo's/OU ?
>>
>> whats the best way to approach running ts on a single server
>> for a whole office and still be able to lock the users down so
>> they dont vandalise the system with out the expence of a second
>> server to be the DC.
>>
>> charles.
 
RE: Running TS on DC

I am in the exact same boat. All Java works even when I start IE7 using "run
as" with and administrator account. Does not work no matter what settings I
use on a standard user account. Installed Firefox and all JavaScript works
fine for standard user. I have tried everything I can find on IE7 Enhanced
Security settings (which is uninstalled for admins and users), Registry
Settings, Lowered all security zones to lowest settings, etc. Even
temporarily gave the standard user accounts "full" privs to the entire c:\
drive of the term server hoping it might be a file/folder rights issue.
Nothing works.

If someone finds an answer it would be most helpful. In the meantime we will
be using Firefox.

"mouse" wrote:

> Everything works well on this server when logging in as a user (ms office,
> accounting software, lob app, printing etc) except for IE 7.x which refuses
> to run javascript (bank site pop up windows for example) when logged in as
> administrator, there are no issues with IE 7.
 
Back
Top