Terminal Server Laptop Lockdown

  • Thread starter Thread starter WilliamS
  • Start date Start date
W

WilliamS

Guest
I am trying to lock down specific users (laptops) on TS 2003.
1. I am using GPM to do this, here is the setup:
2. Created an OU called School Laptops
3. Created and linked two GPO's withing the OU called LaptopLoopback and
LaptopSecurity
4. In LaptopLoopback set up Computer Configuration/Administrative
Templates/System/Group Policy: enabled loopback processing mode.
5. In LaptopSecurity enabled User Configuration/Administrative
Templates/Control Panel: disabled access to control panel.
6. Added a test user called Buster to Security Filtering for LaptopSecurity.
7. Logged onto Terminal Server as Buster, but I could access the Control
Panel.
8. Added Authenticated Users to the Security Filtering
9. Added Buster directly to the OU in Active Directory.
10. Logged on as Buster and was, appropriately, denied access to the Control
Panel.

Comment1: This seems wrong, that I would have to add users directly to the
OU to make this work. My thinking is that I should be able to add a Group to
the Security Filtering Section, to accomplish my goal.

Comment2: I did not add the Terminal Server Computer to the OU, as I am
only trying to filter a certain group.

Any help would be appreciated.
WilliamS
 
Re: Terminal Server Laptop Lockdown

In our configuration, your only locking down the laptops. if you want to
lock down the users when they are actually on the terminal server, then
create an OU for the terminal server, enable loopback processing, then
create a user gpo at the same OU and filter that by whatever group you want.
This article will explain it:
http://www.dabcc.com/blogs/jeff/pos...oup-Policy-in-a-Terminal-Services-Environment

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"WilliamS" <WilliamS@discussions.microsoft.com> wrote in message
news:30F23244-8743-40BB-BBCE-E07048AD67D7@microsoft.com...
>I am trying to lock down specific users (laptops) on TS 2003.
> 1. I am using GPM to do this, here is the setup:
> 2. Created an OU called School Laptops
> 3. Created and linked two GPO's withing the OU called LaptopLoopback and
> LaptopSecurity
> 4. In LaptopLoopback set up Computer Configuration/Administrative
> Templates/System/Group Policy: enabled loopback processing mode.
> 5. In LaptopSecurity enabled User Configuration/Administrative
> Templates/Control Panel: disabled access to control panel.
> 6. Added a test user called Buster to Security Filtering for
> LaptopSecurity.
> 7. Logged onto Terminal Server as Buster, but I could access the Control
> Panel.
> 8. Added Authenticated Users to the Security Filtering
> 9. Added Buster directly to the OU in Active Directory.
> 10. Logged on as Buster and was, appropriately, denied access to the
> Control
> Panel.
>
> Comment1: This seems wrong, that I would have to add users directly to the
> OU to make this work. My thinking is that I should be able to add a Group
> to
> the Security Filtering Section, to accomplish my goal.
>
> Comment2: I did not add the Terminal Server Computer to the OU, as I am
> only trying to filter a certain group.
>
> Any help would be appreciated.
> WilliamS
>
 
Back
Top