How to Apply Group Policy Objects to Terminal Services Servers |
The information in this article applies to:
-
Microsoft Windows 2000 Advanced Server
-
Microsoft Windows 2000 Server
SUMMARY
Microsoft Windows 2000 Terminal Services servers are installed for users in Application Server mode. When the Windows 2000 Terminal Services servers are in a Windows 2000 Active Directory domain, the domain administrator implements Group Policy Objects (GPOs) to the Terminal Services server to control the user environment. This article describes the recommended process of applying GPOs to Terminal Services without adversely affecting other Windows 2000 servers on the network.
MORE INFORMATION
There are 2 methods for applying GPOs to Terminal Services without adversely affecting other Windows 2000 Server computers on the network.
Method 1
The first option is to create an organizational unit (OU) specifically for the Terminal Services servers in Application Server mode. This OU allows specific GPOs to be applied to only those Terminal Services computers, creating a tightly controlled Terminal Services experience for the users without affecting the other servers in the Active Directory domain. This OU should not contain users or other computers; therefore domain administrators can fine-tune the Terminal Services experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.
To create a new OU for the Terminal Services servers, follow these steps:
- On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand the left pane.
- Click domainname.xxx.
- On the Action menu, click New, and then click Organizational Unit.
- In the Name box, type a name for the Terminal Services server.
- Click OK.
The new Terminal Services OU now appears in the list in the left pane and contains no default objects. The Terminal Services servers reside in either the Computers OU or the Domain Controllers OU.
- Locate and click the Terminal Services server or servers, click Action, and then click Move.
- In the Move dialog box, click the new Terminal Services server or servers, and then click OK.
- Click the new Terminal Services OU to verify that the move has successfully taken place.
To create a Terminal Services Group Policy object, follow these steps:
- Click the new Terminal Services OU.
- On the Action menu, click Properties.
- Click the Group Policy tab.
- Click New to create the New Group Policy object.
- Click Edit to modify the group policy.
NOTE: Most of the relevant settings are under Computer Configuration, Security Settings, or Local Policies. For example, under User Rights Assignment in the list on the right, you find Log on Locally, which is required for logging on to a session on Terminal Services; and you also find Access this computer from the network, which is required to connect to the server outside of a Terminal Services session. This is also where you can prevent users from being able to shut down the system. The Security Options folder is where many of the restrictions should be made and where there are similar settings to the NTConfig.pol file in Windows NT 4.0 Server and Terminal Server Edition. Settings for the user part of the policy should not be applied here because the users have not been placed into this OU with the Terminal Services server. This article is written for machine policy implementation.
- When modifications are completed, close the Group Policy editor, and then click Close to close OU Properties.
Method 2
The second option is to apply GPOs to Terminal Services servers exclusively with the use of a GPO Loopback policy. This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to the computer affected by this policy. This policy is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used. Without Loopback, the user's Group Policy objects determine which user policies apply. If this policy is enabled, the location of a users's computer object is the main factor in determining which set of Group Policy objects are to be applied.
This implementation is described in the following Knowledge Base article:
Q231287 Loopback Processing of Group Policy
System Policies in Windows NT 4.0 Terminal Services Edition are also implemented differently than on other Windows NT servers, as described in the following Knowledge Base article:
Q192794 How to Apply System Policies to Terminal Server
When possible, Terminal Services should be installed on Windows 2000 member servers instead of on domain controllers because the users need Log on Locally user rights. When the Log on Locally right is given to domain controllers, it is given to every domain controller in the domain because of the shared Active Directory database. Windows 2000 Member Servers are granted Log on Locally user rights by default in the Local Security Policy when Terminal Services is installed in Application Server mode.
For additional information about Log on Locally rights, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
Q247989 Domain Controllers Require the 'Log on Locally' Group Policy Object for Terminal Services Client Connections
Q234237 Assign Log On locally Rights to Windows 2000 Domain Controller
Windows NT 4.0 Terminal Services Edition has the same concern with Log on Locally rights to domain controllers because of the common Security Accounts Manager (SAM) database replicated from the primary domain controller (PDC) to all backup domain controllers.
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
Q186529 Local Policy Does Not Permit You to Log On Interactively
Additional query words:
Keywords : kbenv w2000termsrv
Issue type : kbhowto kbinfo
Technology : kbwin2kAdvSer kbwin2kAdvSerSearch kbwin2kS kbwin2kSSearch kbwin2kSearch
|
|
 |
|