Thanks. Not (yet) using policies. As for the "Remote Desktop Users" group, I could define a new security group, and include that. Probably be easiest. Just means I have to authorize them before they can connect work remotely, but I want that, anyway. :-) (at the moment, it's all domain users) Thanks for the insights, and the verification about license issuance. -- ------------------------------------------------------------ Michael Leone, Systems Administrator Philadelphia Contributionship 210 S. 4th Street, Philadelphia, PA 19106 <mailto:mleone@xxxxxxxxxxxxxxxxxxxx> V: 215-627-1752 x1282 F: 215-627-5354 -----Original Message----- From: Jim Hathaway [mailto:JimH@xxxxxxxxxxxxxxx] Sent: Thursday, March 18, 2004 5:43 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Restricting access to Win2003 TS That's one way to do it yes, although that method requires you to make manual changes to all users or to try out your hand at some ADSI scripting.=20 Here's 3 other ways to do this which should not require so much effort in making manual changes to user accounts.=20 1) Since you're using windows 2003 terminal services, you can also use group policies to control who can and can't login to your TS servers.=20 Under group policy, go to "computer config - windows settings - security settings - local policies - user rights"=20 Two policy options are available under this area: "Allow login to terminal services" "Deny login to terminal services" 2) Windows 2003 terminal servers have a default local group called "remote desktop users", the members of this group by default are "NTauthority/authenticated users", you could remove this default group member and replace it with a security group from your domain that you want to allow access to your TS servers. You would need to make this change to each TS server you'd like to restrict like this.=20 3) You can also set security permissions on RDP and ICA connections. For example, you could create a new NTFS security group, and deny that group from being able to connect via the protocol (RDP / ICA) to your servers. This kind of setup would require manual changes to each server.=20 Load up the "terminal services configuration" tool, click "connections", on the right side of the display, right click on whatever protocol you want to change permissions for and go to properties. You should see a tab for "permissions" where you can set the values you want for the NTFS security groups you want.=20 Probably the easiest way to do this if you're unfamiliar with AD, is #2. HTH J BTW - Philip is correct, and the same still applies for windows 2003, TS licenses are not fully assigned to devices or users until 3 TS based connections have been made with that user account, or from a particular device.=20 -----Original Message----- From: Philip Walley [mailto:philip.walley@xxxxxxxxxxxxxx]=20 Sent: Thursday, March 18, 2004 1:21 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Restricting access to Win2003 TS That sounds right. I am not sure on 2003, but in 2000 (once the licensing enhancement pack was installed) the computer was issues a temp license the first time it connected and then was issued the TS license on the 2nd connection. In this case, if that user/computer never connects, it will not pull a license.=3D20 =3D20 Philip Walley=3D20 Sr. Network Engineer=3D20 Consultrix Technologies=3D20 Memphis, TN. =3D20 Consultrix Help Desk: (601) 956-8909 Memphis Office: (901) 383-1300=3D20 Memphis Fax: (901) 383-1375 =3D20 -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Leone, Michael Posted At: Thursday, March 18, 2004 2:27 PM Posted To: The thin mailing list Conversation: [THIN] Restricting access to Win2003 TS Subject: [THIN] Restricting access to Win2003 TS I'm new to using AD. Am I correct in assuming that if I go into AD Users and Computers, and change the Terminal Services Profile tab of one of my users, and uncheck "Allow logon to terminal server", this user will not be allowed to access the LAN via TS (obviously ... :-), but also won't tie up a license? I have all per-device licenses, and will soon be activating the License Server service on my new Win2003 TS with these new licenses. Am I correct in assuming that this is the proper way of limiting remote access, as well as denying the issuance of licenses (and leaving them free for others to use)? -- ------------------------------------------------------------ Michael Leone, Systems Administrator Philadelphia Contributionship 210 S. 4th Street, Philadelphia, PA 19106 <mailto:mleone@xxxxxxxxxxxxxxxxxxxx> V: 215-627-1752 x1282 F: 215-627-5354 ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert=3D20 consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert=20 consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This weeks sponsor Emergent Online. Emergent OnLine is the leading server-based computing consulting integration firm in the nation. Emergent OnLine delivers expert consulting services you can depend on. http://www.go-eol.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm