Article ID: 260370 - View products that this article applies to.
This article was previously published under Q260370
Microsoft Windows Server 2003 Terminal Services servers and Microsoft Windows 2000 Terminal Services servers are installed for users in Application Server mode. When the Terminal Services servers are in an Active Directory domain, the domain administrator implements Group Policy objects (GPOs) to the Terminal Services server to control the user environment. This article describes the recommended process of applying GPOs to Terminal Services without adversely affecting other servers on the network.
There are two methods for applying GPOs to Terminal Services without adversely affecting other servers on the network.
Method 1Put the Terminal Server computers into their own organizational unit (OU). This configuration permits relevant computer configuration settings to be put in GPOs that apply only to Terminal Server computers. This configuration does not affect the user experience on workstations or on other servers and lets you create a tightly controlled Terminal Server experience for users. This OU should not contain users or other computers so that domain administrators can fine-tune the Terminal Services experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.
To create a new OU for the Terminal Services servers, follow these steps:
Method 2Use the Group Policy loopback feature to apply User Configuration GPO settings to users only when they log on to the Terminal Servers. When GPO Loopback processing is enabled for the computers in an OU that contains only Terminal Servers, those computers apply the User Configuration settings from the set of GPOs that apply to that OU. Additionally, those computers apply the User Configuration settings from GPOs that are linked to or inherited by the OU that contains the user's account.
This implementation is described in the following Knowledge Base article:
231287System Policies in Windows NT 4.0 Terminal Services Edition are also implemented differently than on other Windows NT servers, as described in the following Knowledge Base article:
(http://support.microsoft.com/kb/231287/ )Loopback processing of Group Policy
192794When it is possible, Terminal Services should be installed on member servers instead of on domain controllers because the users need Log on Locally user rights. When the Log on Locally right is assigned to domain controllers, it is assigned to every domain controller in the domain because of the shared Active Directory database. By default, member servers are granted Log on Locally user rights in the Local Security Policy when Terminal Services is installed in Application Server mode.
(http://support.microsoft.com/kb/192794/ )How to apply System Policies to Terminal Server
For additional information about Log on Locally rights, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/247989/ )Domain controllers require the "Log on Locally" Group Policy object for Terminal Services client connections
234237Windows NT 4.0 Terminal Services Edition has the same concern with Log on Locally rights to domain controllers because of the common Security Accounts Manager (SAM) database replicated from the primary domain controller (PDC) to all backup domain controllers.
(http://support.microsoft.com/kb/234237/EN-US/ )Assign Log On locally Rights to Windows 2000 Domain Controller
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/186529/ )Local policy does not permit you to log on interactively
The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
Article ID: 260370 - Last Review: October 30, 2006 - Revision: 3.2