Re: TS Srv is also print server. How do you restrict acces / permissions
Jarryd <jarryd@community.nospam> wrote:
> Hi,
>
> I have a TS that is also the Print Server for our network. I don't
> want TS users to be able to change the printers' settings. I would
> be even cooler to be able to define which printers they can see, but
> that isn't really an issue. More bothered about them fiddling around
> in there configuring defaults to undesirable settings.
>
> Any clues?
>
> TIA,
>
> Jarryd
I strongly recoommend that you move print services elsewhere on your
network. A terminal server should really be nothing more than a big fat
shared workstation, with no other roles on your network.
That said, you can (and definitely should!) lock down your terminal
services. Users should have no admin rights on the box, and there's a lot
more you can do to restrict what they can do.
See KB 278295 for some good lockdown suggestions.
The following is cribbed shamelessly from Patrick Rouse
-------------------------------------------
Best Practice for applying Settings to Users only when they log on to
Terminal Servers would be to:
1. Create an OU to contain a set of Terminal Servers
2. Block Policy Inheritance on the OU (Properties -> Group Policy). This
prevents settings from higher-up in AD from affecting your Terminal Servers.
3. Move the Terminal Server Computer Objects into the OU. Do NOT place User
Accounts in this OU.
4. Create an Active Directory Security Group called “Terminal Servers” (or
something similar that you’ll recognize) and add the Terminal Servers from
this OU to this group.
5. Create a GPO called “TS Machine Policy” linked to the OU
6. Check “Disable User Configuration settings” on the GPO
7. Enable Loopback Policy Processing in the GPO
8. Edit the Security of the Policy so Apply Policy is set for “Authenticated
Users” and the Security Group containing the Terminal Servers
9. Create additional GPOs linked to this OU for each user population, i.e.
“TS Users”, “TS Administrators”.
10. Check “Disable Computer Configuration settings” on these GPO
11. Edit the Security on these User Configuration GPOs so Apply Policy is
enabled for the target user population, and Deny Apply Policy is enabled for
user to which the policy should not apply.
With GPOs configured this way the Machine Policy applies to everyone that
logs on to the Terminal Server (only the Computer Configuration Settings of
the Machine Policy are processed) in addition to the appropriate User
Configuration GPO (only the User Configuration portion of the GPO is
processed) for the target user population.