Method 1Put the Terminal Server computers into their own organizational unit (OU). This configuration permits relevant computer configuration settings to be put in GPOs that apply only to Terminal Server computers. This configuration does not affect the user experience on workstations or on other servers and lets you create a tightly controlled Terminal Server experience for users. This OU should not contain users or other computers so that domain administrators can fine-tune the Terminal Services experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.
To create a new OU for the Terminal Services servers, follow these steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand the left pane.
- Click domainname.xxx.
- On the Action menu, click New, and then click Organizational Unit.
- In the Name box, type a name for the Terminal Services server.
- Click OK.
The new Terminal Services OU now appears in the list in the left pane and contains no default objects. The Terminal Services servers reside in either the Computers OU or the Domain Controllers OU.
- Locate and then click the Terminal Services server or servers, click Action, and then click Move.
- In the Move dialog box, click the new Terminal Services server or servers, and then click OK.
- Click the new Terminal Services OU to verify that the move has successfully occurred.
- Click the new Terminal Services OU.
- On the Action menu, click Properties.
- Click the Group Policy tab.
- Click New to create the New Group Policy object.
- Click Edit to modify the Group Policy.
NOTE: Most of the relevant settings are under Computer Configuration, Security Settings, or Local Policies. For example, under User Rights Assignment in the list on the right, you find Log on Locally. This setting is required for logging on to a session on Terminal Services. You also find Access this computer from the network. This setting is required to connect to the server outside a Terminal Services session. This is also where you can prevent users from being able to shut down the system. The Security Options folder is where many of the restrictions should be made and where there are similar settings to the NTConfig.pol file in Windows NT 4.0 Server and Terminal Server Edition. Settings for the user part of the policy should not be applied here because the users have not been put into this OU with the Terminal Services server. This article is written for computer policy implementation.
- When modifications are completed, close the Group Policy editor, and then click Close to close OU Properties.
Method 2Use the Group Policy loopback feature to apply User Configuration GPO settings to users only when they log on to the Terminal Servers. When GPO Loopback processing is enabled for the computers in an OU that contains only Terminal Servers, those computers apply the User Configuration settings from the set of GPOs that apply to that OU. Additionally, those computers apply the User Configuration settings from GPOs that are linked to or inherited by the OU that contains the user's account.
This implementation is described in the following Knowledge Base article:
For additional information about Log on Locally rights, click the following article numbers to view the articles in the Microsoft Knowledge Base:
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
The computer account of the terminal server should be added to the security properties of the GPO being created for the loopback. To do this, follow these steps:
- Select the GPO that is created for the loopback, and then click Properties.
- Click the Security tab, and then click Add.
- In the Select Users, Computers, or Groups box, select the computer account, and then click OK.
- Click the computer account from the Group or user names box.
- In the Permissions for computer name box, click to select the Read and Apply Group Policy check boxes in the Allow column.
- Click OK two times to close and save the policy settings.