1

What I need to accomplish: With one login, when user is physically in the building I need them to see everything. When they are using terminal services with same login they should not be able to see the file system on the network. I can lock down the PC running terminal services as that is its only use.

Details:

Windows/2003 Server with terminal services.

One login for a user (e.g., johndoe).

When johndoe logs into the network at his desk in the office, he can see the network files according to group policy.

When johndoe logs into terminal services from outside the building, we do not want to allow him see the network. Using 2x to do a published app, but that app has a "feature" that allows user to see network.

Published application on termina services (only) is a document management system that is tied to windows login, so I can't give them two logins.

With one login, when they are in the building I need them to see everything. When they are using terminal services they should not be able to see the network. I can lock down the PC running terminal services as that is its only use.

  • 1
    Why do you want to set it up this way? Do you stop trusting the user when they leave your premises? – Nic Mar 28 '10 at 19:20
  • Not exactly. The nature of the data on the network is that we need to take all reasonable precautions not to ever expose it to the outside. When they are logged in through terminal services there is one, safe published application that does not expose data. That's OK, but we don't wish to risk anything else if our users' credentials were compromised, laptop stolen, etc. In other words, we want to explose only the published app to the outside and nothing else. –  Mar 29 '10 at 17:13

2 Answers2

2

The question isn't clear enough yet.

Is the user signing into the Terminal server when in the office AND when working remotely? Or just when working remotely?

If the user only signs into terminal services remotely, then the solution is to apply a loopback policy applied to your terminal services OU. Greg's answer then contains the kind of policy settings you'll want to apply in that GPO.

On the other hand, if your user signs into the Terminal server both remotely, and when in the office, and must do so with the same user account, you're in a whole world of hurt. I don't think there's a supported configuration for you if this is the case, without getting into nasty hacks. It may be worth looking at creating a site in AD for your VPN clients, then applying a policy to that site to restrict network browsing, but I don't think that'll apply if the user connects to a terminal server. Still, it's the only avenue I can see that might get you the right results.

Chris Thorpe
  • 9,903
  • 22
  • 32
  • Sorry I should have been clearer. User logs into terminal services ONLY when outside the building. Inside, it's just an ordinary local network login from their desks. We'll try this and let you know. –  Mar 29 '10 at 17:09
  • Righto. Yep, loopback policy is exactly what you want. – Chris Thorpe Mar 29 '10 at 19:05
1

I believe you want to use a GPO that is linked to the terminal server, that specifies:

Administrative Templates\Windows Explorer:
- Hide Drives
- Prevent Access to drives from My Computer

(If the network resources are assigned to drive letters)

Administrative Templates\Windows Explorer:
- No Entire Network in My Network Places
- Remove Map Network Drive and Disconnect Network Drive

Administrative Templates\Start Menu and Taskbar:
- Remove My Network Places from Start Menu
- Remove Run from Start Menu

Administrative Templates\Desktop:
- Remove My Network Places

That will probably get you started. There may be other restrictions you will want to apply.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • My network engineer says "he can't get GPO isolated to one machine using GPO in active directory". I don't think he knows what you mean by creating a "GPO that is linked to the terminal server". How do you do that specifically? Our network consultant says we have to many OU's and that might be why it doesn't work. Meanwhile, he says he solved it a different way -- by local policy on the machine running terminal services. Local policy apparently overrides group policy. Anything wrong with that solution? –  Apr 01 '10 at 07:20
  • To clarify, you need a GPO linked to the OU where the terminal server resides. GPO's for terminal servers typically use loopback processing, which cause the User settings of the GPO to apply to users who logon to the terminal server. – Greg Askew Apr 01 '10 at 22:38