H
Hugh O'Donnell
I have:
1. Set up a server for Remote Desktop access.
2. Created a Security Group (acct_users) and only allow them to access this
TS.
3. Created OU for server (term_server) and linked GPO with loopback on it.
4. Set default application for TS via the GPO.
5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.
My problem is,
1. When a Domain Admin TS's into this machine, they still run the default
app. (I'm sure this is because the loopback doesn't look at what user is
being run... but how do I implement this?)
2. Users can still jack around with the local drives from the application's
"Save As" dialog. Is there a way to keep them out of the local C & D drive
and still have the application run properly?
Can someone tell me the best way to implement this? I was thinking maybe
just a normal GPO that is applied only on the term_server machine by the
certain users. Will this work?
I want to make clear that these users also have access to their own
machines, which is completely acceptable. In other words, Joe Blow should
be able to still have his current rights on his own machine, but when
remoted into the term_server, I want to: limit where they can go, force
them to run a single app, etc.
Thank You,
Hugh
1. Set up a server for Remote Desktop access.
2. Created a Security Group (acct_users) and only allow them to access this
TS.
3. Created OU for server (term_server) and linked GPO with loopback on it.
4. Set default application for TS via the GPO.
5. Set Domain Admin's "Apply this Policy" to Denied in the GPO.
My problem is,
1. When a Domain Admin TS's into this machine, they still run the default
app. (I'm sure this is because the loopback doesn't look at what user is
being run... but how do I implement this?)
2. Users can still jack around with the local drives from the application's
"Save As" dialog. Is there a way to keep them out of the local C & D drive
and still have the application run properly?
Can someone tell me the best way to implement this? I was thinking maybe
just a normal GPO that is applied only on the term_server machine by the
certain users. Will this work?
I want to make clear that these users also have access to their own
machines, which is completely acceptable. In other words, Joe Blow should
be able to still have his current rights on his own machine, but when
remoted into the term_server, I want to: limit where they can go, force
them to run a single app, etc.
Thank You,
Hugh