No announcement yet.

Allowing access to TS1 but not TS2

  • Filter
  • Time
  • Show
Clear All
new posts

  • Allowing access to TS1 but not TS2

    Hi all,
    i've just added a 2nd TS into our network and i'm trying to migrate some users to the new TS. They aren't load balancers or in a cluster.
    Basically i want some users to only be able to logon to TS2
    I created 2 security groups in ADUC. 'TS1 users' and 'TS2 users'. What i then did was, using the advanced view, went in the 'secuity' tab of the TS1 computer object and added 'TS2 users' into the list and denied them ALL access.
    Yet they can still get into TS1.
    The real problem here is the users could easily log back in to TS1, deliberatley or otherwise, unless i can lock them down.
    We don't use roaming profiles, so it would mean i'd have to go round to each pc and put the correctly configured RDP file on that particular users desktop, which is a lot of work.
    So.....any idea why what i've tried so far hasn't worked?
    I obviously cannot check the box in AD which states "deny user access to all terminal servers", cos then they'd get nothing.

    Any help appreciated, thanks.


  • #2
    Re: Allowing access to TS1 but not TS2

    You need to configure the permission settings on the RDP protocol on each TS. There are a number of ways you could do this, here's one:

    In the permissions settings on the RDP protocol on TS1 (in the Terminal Server Configuration console), remove the Remote Desktop Users group, the Everyone group if it's listed, the Authenticated Users group if it's listed, and the Domain Users group if it's listed. Then add the TS1 Users group with the User Access and Group Access set to Allow.

    Do the same for TS2 with the TS2 Users group.

    In both cases, make sure to leave all of the remaining permissions as they are so that you can log on as Administrator to manage the servers.


    • #3
      Re: Allowing access to TS1 but not TS2

      Hi joe,
      thanks for the input. However if i go to my DC and look at TSCM, there is only one RDP connection, so i'm not sure how i can alter the permission on that as its not specifically pointing towards eithe TS. It gives the option to create a new connection, but how do i know which RDP connection is which TS?
      Or am i getting this wrapped around my neck? (wouldn't be the first time)

      Thanks again.


      • #4
        Re: Allowing access to TS1 but not TS2

        You have to do this from each TS. Log on to the TS server, go to Administrative Tools, then go to Terminal Services Configuration, there you'll see a Connections folder in the left pane and the RDP-Tcp protocol in the right pane. Double click the RDP-Tcp protocol object and go to the Permissions tab, there you'll see what I'm referring to.


        • #5
          Re: Allowing access to TS1 but not TS2

          Or am i getting this wrapped around my neck? (wouldn't be the first time)
          The answer to my own quote is YES, i am.
          I sorted it now thanks.
          I logged into one of the TS's went into TSC and found BOTH connections.
          But rather than deleting certain groups i just added the TS2 users group and denied all, seeing as deny takes precedence over allow.
          And it worked. The user i have been testing can no longer access TS1, but can still access TS2.

          Thanks again Joe....ya be da man!


          • #6
            Re: Allowing access to TS1 but not TS2

            As I said, there are a number of ways to do it and you found one of the other ways. Glad to help.


            • #7
              Re: Allowing access to TS1 but not TS2

              Lol, ok before you run off.....
              ....i got one user working, and a 2nd one half working.
              I say half, because i can log in to TS2 as the user from an external source, but not from my pc that i've been doing all the configs from.
              I logged in as the 1st user from my pc, but not as the 2nd user from my pc. It comes up with the error box that i expect to get about remote desktop users etc etc...
              Could it be some restriction on how many rdp sessions can be made from my specific pc? Even though i've logged out of ALL other connections to TS2 from my pc.

              Thought it was too good to be true.


              • #8
                Re: Allowing access to TS1 but not TS2

                Double check the RDP-Tcp permissions on TS1 and TS2 for the TS1 Users group and the TS2 Users group and check the membership of each group. Also, check TS manager to see if there are any connections. If this is TS in remote administration mode than only three connections total are allowed (1 console, 2 RDP).


                • #9
                  Re: Allowing access to TS1 but not TS2

                  Just cannot figure this one out joe.
                  It won't let me login as any of the users in the group that has been allowed access now, from a different pc.
                  Double-checked the permissions as they seem spot on.
                  DENY permissions take precedent so no need to delete anything from the list afaik.
                  Another thing though, before trying to log any user onto the TS2, i'd redirected the TS user profile in ADUC to point to the fileserver. (\\storageserver\Profiles\%username%)
                  That setting is still in place, yet upon checking documents and settings on the TS2 the user also has a profile in there dating from today (when i managed to log in as them, but now can't) and the profile is bigger than the one in the set path.
                  Does that make any sense?
                  My Computer > Properties > Advanced > Settinggs (User Profiles)... the offending user accounts as set as roaming?? I've changed them to local, but its made no difference, still cannot log in as them.
                  What a farce, on a saturday evening too......ggrrrrrrrrr!!


                  • #10
                    Re: Allowing access to TS1 but not TS2

                    There's always going to be a local copy of the profile. When the user logs on, their roaming profile is copied from the network to the server, the profile then "runs" from the server, not from the network. When they log off of the server, the profile is copied back down from the server to the network. There is a setting to remove cached profiles after the user logs off, but I suspect that's not enabled. It wouldn't be the cause of the problem anyway. Here's what I would suggest:

                    Delete the profile from the server and from the netwrk share. Then try to log on to the server and see what happens.


                    • #11
                      Re: Allowing access to TS1 but not TS2

                      Hi Joe,
                      right, last night, i decided to take all the permissions out that i added in to the TS's (RPD connections in TSM).
                      Odd thing is, its now working as i intended, god knows how. And i'm totally expecting it to break again, possibly when i reboot either TS.
                      I get what you're saying about the local and network profiles.
                      I have 'My Docs' redirected manually, not using gpo, and the local profiles are quite a bit larger than the network ones. Its seem to be app data that's bigger in size (i think). Not too sure why.
                      Unfortunately creating a new profile is a bit of hassle as i'm upgrading their outlook from 2003 to 2007 for one and by using their existing profiles its a lot easier for it to transfer. It also keeps the .NK2 files and stationery settings too.
                      I have about 20 accounts to move onto the new TS and don't want to have to re-create profiles. There was one that when copied to the network profile share just wouldn't load (instead TS loaded a temp one up at login). I had to create a new one and copy relevent stuff back in (desktop, faves etc).

                      So, i'll keep at it, and no doubt i'll users moaning at me tomorrow, but they can flippin well moan. I'm off to watch my son's first ice hockey match of the can wait!
                      Thanks for all your help buddy.