Announcement

Collapse
No announcement yet.

new 2008 R2 RDP and TS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • new 2008 R2 RDP and TS

    I added a 2008 R2 SP1 to a 2003 domain. I would like to enable TS so users can use it for the only app on it. Also remote admin for myself. Will it pick up the domain group policy TS lock down? Are there any caveats or tips for making this as painless as possible?

  • #2
    Re: new 2008 R2 RDP and TS

    You need to apply the GPO to an OU and put the server in that OU for it to get the TS Lockdown policy.

    For the server to run as an RDSH server, you need to install the role and you should also reinstall the application. You also need to make sure you purchase and install RDS CALs.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: new 2008 R2 RDP and TS

      2 weeks?? Sorry for the delay - too many fires to put out.

      Just got the cals. I believe you get 120 days with cals. Should I make the RDSH server the license server and activate it?

      After adding the RDS role, I moved it into the TS OU. The domain TS policy seems to be only partly applied - local drives are restricted and network drives are present as they should be but the desktop wallpaper is not applied, IE works, all programs are on the start menu, admin tools are there, the network is accessible. I uninstalled the app and reinstalled it after adding the RDS role.

      EDIT: Unless I misread it, the Add Roles Wizard said Network Level Authentication would not work with XP clients so I did not choose it. Then I saw this which says it does.
      Last edited by vndic8; 12th October 2011, 06:44.

      Comment


      • #4
        Re: new 2008 R2 RDP and TS

        If you want to apply user settings based on the computer they're logging on to you'll need to configure the loopback policy.

        More info: http://technet.microsoft.com/en-us/l...70(WS.10).aspx
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: new 2008 R2 RDP and TS

          Are you saying to over ride the domain policy with a local computer policy?
          I take it I should make this server the license server

          Comment


          • #6
            Re: new 2008 R2 RDP and TS

            Originally posted by vndic8 View Post
            Are you saying to over ride the domain policy with a local computer policy?
            No, don't use the local computer policy. You said that not all the settings are being applied in the domain TS policy, namely the wallpaper. This is a user setting and needs to be applied to the user. To do this, you need to configure loopback processing so that the domain TS policy will be appended (merge mode) to the list of GPOs or replace (replace mode) the list of GPOs for the user to apply at logon.


            Originally posted by vndic8 View Post
            I take it I should make this server the license server
            The license server can be any server that has enough resources (not very intensive) and should be fine on the TS but I usually put it on a different server.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: new 2008 R2 RDP and TS

              Originally posted by JeremyW View Post
              No, don't use the local computer policy. You said that not all the settings are being applied in the domain TS policy, namely the wallpaper. This is a user setting and needs to be applied to the user. To do this, you need to configure loopback processing so that the domain TS policy will be appended (merge mode) to the list of GPOs or replace (replace mode) the list of GPOs for the user to apply at logon.
              I tried both replace and merge separately on the DC and the RDS server, no joy. Presently on 2003 TSs, the domain TS policy is correctly interpreted and loopback processing is not configured. Do R2 machines interpret 2003 GPOs differently than 2003 boxes?

              Local users do not get the wallpaper, it is only part of the domain TS policy, so it is applied to every user that logs on to the TS

              Originally posted by JeremyW View Post
              The license server can be any server that has enough resources (not very intensive) and should be fine on the TS but I usually put it on a different server.
              No license server is necessary, RDS user cals are not physically put/applied/entered anywhere, it is done on the "honor system". You just need to have them in case you're audited.

              Comment


              • #8
                Re: new 2008 R2 RDP and TS

                bump

                anyone?

                Comment


                • #9
                  Re: new 2008 R2 RDP and TS

                  No bumps, please.

                  As to your question:

                  1. You'll need W2K8 R2 TS/RDS CAL's

                  2. You'll need a W2K8 R2 TS/RDS license server

                  3. If the W2K8 server is in the GPO path (Scope of Management) then it will pick up the TS lockdown settings.

                  Comment


                  • #10
                    Re: new 2008 R2 RDP and TS

                    Originally posted by joeqwerty View Post
                    No bumps, please.

                    As to your question:

                    1. You'll need W2K8 R2 TS/RDS CAL's

                    2. You'll need a W2K8 R2 TS/RDS license server

                    3. If the W2K8 server is in the GPO path (Scope of Management) then it will pick up the TS lockdown settings.
                    W2K8 R2 RDS CAL's acquired and installed

                    W2K8 R2 RDS license server activated

                    W2K8 R2 RDSH server in TS OU. How does one check if server is in the proper GPO path?

                    Comment


                    • #11
                      Re: new 2008 R2 RDP and TS

                      Run GPRESULTS against the server in GPMC or RSOP.msc from the server to see what GPO's are being applied and denied, and why.

                      Comment


                      • #12
                        Re: new 2008 R2 RDP and TS

                        A good one to use for a review is to run gpresult /h gpo.html from the 2008 server and review the results. You may need to run CMD explicitly as an administrator, just in case.

                        Comment


                        • #13
                          Re: new 2008 R2 RDP and TS

                          The R2 box is in the TS OU and testprofile is just in domain\users.


                          RSOP data for mydomain\testprofile on R2box : Logging Mode
                          -----------------------------------------------------------------

                          OS Configuration: Member Server
                          OS Version: 6.1.7601
                          Site Name: N/A
                          Roaming Profile: \\DC1\tsusers\testprofile.mydomain.
                          Local Profile: C:\Users\testprofile
                          Connected over a slow link?: No


                          USER SETTINGS
                          --------------
                          CN=testprofile,OU=anotherone,OU=Staff,DC=mydomain, DC=local
                          Last time Group Policy was applied: 10/24/2011 at 2:13:15 PM
                          Group Policy was applied from: DC1.mydomain.local
                          Group Policy slow link threshold: 500 kbps
                          Domain Name: mydomain
                          Domain Type: Windows 2000

                          Applied Group Policy Objects
                          -----------------------------
                          Terminal Server Lockdown
                          Default Domain Policy
                          Redirection
                          Logon
                          Default Domain Policy

                          The following GPOs were not applied because they were filtered out
                          -------------------------------------------------------------------
                          Local Group Policy
                          Filtering: Not Applied (Empty)

                          Local Group Policy
                          Filtering: Not Applied (Empty)

                          Outside Domain GPO
                          Filtering: Not Applied (Empty)

                          Security
                          Filtering: Not Applied (Empty)

                          Outside Domain GPO
                          Filtering: Not Applied (Empty)

                          The user is a part of the following security groups
                          ---------------------------------------------------
                          Domain Users
                          Everyone
                          Remote Desktop Users
                          BUILTIN\Users
                          REMOTE INTERACTIVE LOGON
                          NT AUTHORITY\INTERACTIVE
                          NT AUTHORITY\Authenticated Users
                          This Organization
                          LOCAL
                          Medium Mandatory Level







                          gpresult /r /s R2box (on R2box)

                          RSOP data for mydomain\administrator on R2box : Logging Mode
                          -------------------------------------------------------------------

                          OS Configuration: Member Server
                          OS Version: 6.1.7601
                          Site Name: Default-First-Site-Name
                          Roaming Profile: \\DC1\tsusers\administrator.mydomain
                          Local Profile: C:\Users\administrator.mydomain
                          Connected over a slow link?: No


                          COMPUTER SETTINGS
                          ------------------
                          CN=R2box,OU=Terminal Servers,DC=mydomain,DC=local
                          Last time Group Policy was applied: 10/24/2011 at 1:12:21 PM
                          Group Policy was applied from: DC1.mydomain.local
                          Group Policy slow link threshold: 500 kbps
                          Domain Name: mydomain
                          Domain Type: Windows 2000

                          Applied Group Policy Objects
                          -----------------------------
                          Terminal Server Lockdown
                          Default Domain Policy
                          Local Group Policy

                          The following GPOs were not applied because they were filtered out
                          -------------------------------------------------------------------
                          Outside Domain GPO
                          Filtering: Not Applied (Empty)

                          The computer is a part of the following security groups
                          -------------------------------------------------------
                          BUILTIN\Administrators
                          Everyone
                          BUILTIN\Users
                          NT AUTHORITY\NETWORK
                          NT AUTHORITY\Authenticated Users
                          This Organization
                          R2box$
                          Domain Computers
                          System Mandatory Level


                          USER SETTINGS
                          --------------
                          CN=Administrator,CN=Users,DC=mydomain,DC=local
                          Last time Group Policy was applied: 10/24/2011 at 1:14:51 PM
                          Group Policy was applied from: DC1.mydomain.local
                          Group Policy slow link threshold: 500 kbps
                          Domain Name: mydomain
                          Domain Type: Windows 2000

                          Applied Group Policy Objects
                          -----------------------------
                          Default Domain Policy
                          Default Domain Policy

                          The following GPOs were not applied because they were filtered out
                          -------------------------------------------------------------------
                          Terminal Server Lockdown
                          Filtering: Denied (Security)

                          Local Group Policy
                          Filtering: Not Applied (Empty)

                          Local Group Policy
                          Filtering: Not Applied (Empty)

                          Outside Domain GPO
                          Filtering: Not Applied (Empty)

                          Outside Domain GPO
                          Filtering: Not Applied (Empty)

                          The user is a part of the following security groups
                          ---------------------------------------------------
                          Domain Users
                          Everyone
                          Remote Desktop Users
                          BUILTIN\Users
                          BUILTIN\Administrators
                          REMOTE INTERACTIVE LOGON
                          NT AUTHORITY\INTERACTIVE
                          NT AUTHORITY\Authenticated Users
                          This Organization
                          LOCAL
                          Local Admin
                          Domain Admins
                          Group Policy Creator Owners
                          Schema Admins
                          Exchange Recipient Administrators
                          Exchange View-Only Administrators
                          Exchange Organization Administrators
                          Exchange Public Folder Administrators
                          High Mandatory Level

                          I assume 2008R2 is backward compatible with 2003 GPOs

                          That html file produced by gpresult /h gpo.html only opens the browser to home page. (168KB)

                          Comment


                          • #14
                            Re: new 2008 R2 RDP and TS

                            I always use the gpresult /h Name.html on Windows 7 and Windows 2008/R2 and should work.

                            I take it that you want a Terminal Server to have the same level of lockdown for every user who logs on?

                            As suggested, add the user settings to the GPO assigned to the TS OU. You currently have one assigned to the Users OU as well.

                            You then set loopback processing mode as merge or replace. To ensure all users logging on have the same lockdown, choose merge. If you want a user's existing policies to also take effect, use merge.

                            Just another point, verify the security filtering on the GPO and Security tab permisisons. One mentions a deny.
                            Last edited by Virtual; 25th October 2011, 09:15.

                            Comment


                            • #15
                              Re: new 2008 R2 RDP and TS

                              You're right, gpresult /h Name.html works if cmd is run as administrator.

                              Are the results the same if there is a GPO assigned to the TS OU and the Users OU, or is the result the same if user's existing policies take effect using merge or is that redundant? I am using merge.

                              As for the deny, I want a Terminal Server to have the same level of lockdown for every user who logs on except domain\administrator.

                              The gpresult on R2box for a domain\user matches the gpresult for domain\user on a TS that the TS lockdown GPO functions as it should.

                              EDIT: The functioning TS GPO I refer to above is a 2003 TS.
                              Last edited by vndic8; 27th October 2011, 18:33.

                              Comment

                              Working...
                              X