Lockingdown Terminal Server with GPO

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,

I am new to TS and to GPO's so please bear with me there may well be several easier / more professional methods to achieve what I am aiming for.

Brief: Users need to be able to occasionally log on to network with basic user accounts. Most of the time they work from home Offline Files etc. They establish a VPN and use RDP to connect to a Terminal Server to access a CRM database. I want to prevent them from doing anything silly on the Terminal server i.e. Shutting it down or breaking something.

So I created a test user, locked it down with a combination of a GPO applied to an OU then used NTFS permissions & Hidden attributes on the All Users / Logged in user Start menu items, with the end result of a start button with nothing operational other than the log off button and a clear desktop that will only permit them to run the desired DB (Bit of a control freak don’t you know!).
I was relatively happy with this; I figured each remote user could use the TS specific account for RDP and an unaltered account / GPO for when attached to the network. The problem I now face is replicating this for each of the 40 or so users who will be working in this manner. I created a mandatory profile for the restricted account and copied this to a Roaming Profile share made it mandatory and assigned this as the Terminal Server profile in AD for each TS account. The plan was to add all TS accounts to a group and place this in the appropriate OU for ease of management. The problem is not all of the settings seem to have applied. To ensure no other GPO’s affect the situation I have also configured the restricted GPO with No Override.

Can any one shed any light on these events?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Try this guide.

 

Wow that was a quick turn arround

Thanks