[THIN] Re: Restricting access to Win2003 TS

• From: "Leone, Michael" <MLeone@xxxxxxxxxxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Fri, 19 Mar 2004 12:26:58 -0500

Thanks. Not (yet) using policies.
As for the "Remote Desktop Users" group, I could define a new security
group, and include that. Probably be easiest. Just means I have to authorize
them before they can connect work remotely, but I want that, anyway. :-)
(at the moment, it's all domain users)

Thanks for the insights, and the verification about license issuance.


--
------------------------------------------------------------
Michael Leone, Systems Administrator
Philadelphia Contributionship
210 S. 4th Street, Philadelphia, PA  19106
<mailto:mleone@xxxxxxxxxxxxxxxxxxxx>
V: 215-627-1752 x1282
F: 215-627-5354

-----Original Message-----
From: Jim Hathaway [mailto:JimH@xxxxxxxxxxxxxxx]
Sent: Thursday, March 18, 2004 5:43 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting access to Win2003 TS


That's one way to do it yes, although that method requires you to make
manual changes to all users or to try out your hand at some ADSI
scripting.=20

Here's 3 other ways to do this which should not require so much effort
in making manual changes to user accounts.=20

1) Since you're using windows 2003 terminal services, you can also use
group policies to control who can and can't login to your TS servers.=20

Under group policy, go to "computer config - windows settings - security
settings - local policies - user rights"=20

Two policy options are available under this area:

"Allow login to terminal services"
"Deny login to terminal services"

2) Windows 2003 terminal servers have a default local group called
"remote desktop users", the members of this group by default are
"NTauthority/authenticated users", you could remove this default group
member and replace it with a security group from your domain that you
want to allow access to your TS servers. You would need to make this
change to each TS server you'd like to restrict like this.=20

3) You can also set security permissions on RDP and ICA connections. For
example, you could create a new NTFS security group, and deny that group
from being able to connect via the protocol (RDP / ICA) to your servers.
This kind of setup would require manual changes to each server.=20

Load up the "terminal services configuration" tool, click "connections",
on the right side of the display, right click on whatever protocol you
want to change permissions for and go to properties. You should see a
tab for "permissions" where you can set the values you want for the NTFS
security groups you want.=20

Probably the easiest way to do this if you're unfamiliar with AD, is #2.


HTH

J

BTW - Philip is correct, and the same still applies for windows 2003, TS
licenses are not fully assigned to devices or users until 3 TS based
connections have been made with that user account, or from a particular
device.=20

-----Original Message-----
From: Philip Walley [mailto:philip.walley@xxxxxxxxxxxxxx]=20
Sent: Thursday, March 18, 2004 1:21 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting access to Win2003 TS

That sounds right. I am not sure on 2003, but in 2000 (once the
licensing enhancement pack was installed) the computer was issues a temp
license the first time it connected and then was issued the TS license
on the 2nd connection. In this case, if that user/computer never
connects, it will not pull a license.=3D20

=3D20
Philip Walley=3D20
Sr. Network Engineer=3D20
Consultrix Technologies=3D20
Memphis, TN.
=3D20
Consultrix Help Desk: (601) 956-8909
Memphis Office: (901) 383-1300=3D20
Memphis Fax: (901) 383-1375
=3D20


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Leone, Michael
Posted At: Thursday, March 18, 2004 2:27 PM
Posted To: The thin mailing list
Conversation: [THIN] Restricting access to Win2003 TS
Subject: [THIN] Restricting access to Win2003 TS


I'm new to using AD. Am I correct in assuming that if I go into AD Users
and Computers, and change the Terminal Services Profile tab of one of my
users, and uncheck "Allow logon to terminal server", this user will not
be allowed to access the LAN via TS (obviously ... :-), but also won't
tie up a license? I have all per-device licenses, and will soon be
activating the License Server service on my new Win2003 TS with these
new licenses. Am I correct in assuming that this is the proper way of
limiting remote access, as well as denying the issuance of licenses (and
leaving them free for others to use)?
--
------------------------------------------------------------
Michael Leone, Systems Administrator
Philadelphia Contributionship
210 S. 4th Street, Philadelphia, PA  19106
<mailto:mleone@xxxxxxxxxxxxxxxxxxxx>
V: 215-627-1752 x1282
F: 215-627-5354


********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting
integration firm in the nation. Emergent OnLine delivers expert=3D20
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or=3D20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting
integration firm in the nation. Emergent OnLine delivers expert=20
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration
firm in the nation. Emergent OnLine delivers expert 
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm


********************************************************
This weeks sponsor Emergent Online.
Emergent OnLine is the leading server-based computing consulting integration 
firm in the nation. Emergent OnLine delivers expert 
consulting services you can depend on.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

• » [THIN] Restricting access to Win2003 TS
• » [THIN] Re: Restricting access to Win2003 TS
• » [THIN] Re: Restricting access to Win2003 TS
• » [THIN] Re: Restricting access to Win2003 TS

1. Home
2. thin
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---