TS on a DC Questions

[goose]

ey all, I am setting up a new group policy on our Terminal Server (which is also a 2003 DC) and have a few questions about applying it.

We have a set of specific users that access the TS Server in their own OU. What I would like to do is take a specific GPO I created for the TS Server and apply it to those specific users. However I am wondering if the current GPO on the TS/DC Server (Default Domain Controller Policy) will have adverse effects. Basically the TS Server that terminal server users will be connecting towhile also be connected to by regular domain users. Is there a way to setup a policy to lockdown both TS users but allow different policies on regular users?

Thanks in advance.

[AdamV]

Firstly, it is really not a good idea to let any regular users anywhere near your DC
By letting them log on through TS you are opening huge holes which could compromise things very badly.
But, if you insist and have no other choice, then:

The user who log on through TS will be logging on to the server itself, other users on the domain will simply be using resources (file shares, maybe exchange, SQl, whatever else is running on the box).
These are fundamentally different.
If you apply a policy to the server to lock down what the users can do there, this will affect the TS logons and have no effect on the other users around the network.
So, you need to link a policy to the server (so in this case to the DCs OU) which uses loopback to apply user policies to anyone logging on to the server, but not when the same user account logs on to a machine outside that OU.

Make ABSOLUTELY CERTAIN that you use security filtering on this policy to ensure that it does not apply to domain admins, but make sure DAs can still read and edit the policy.
if you do not do this carefully then you may end up that when you log on to the server at the console as DA you can't do whatever it is you have locked down. Since you are letting users on your most critical server you need to be really sure this is a very locked down policy that does not allow any kind of admin functionality (even disabling command prompt etc would be a good idea). So if this then applies by accident to your DA you could be in big trouble.

A couple more thoughts about running a DC as an application server:
Make sure user profiles on the box cannot become too large and interfere with essential services.
Quotas might help, but really you want to ensure that things like the active directory database is on a separate partition from the user profiles and anything else that can grow unexpectedly (like print spool files).
Redirection might help, but watch out for offline file synch creating a local copy.
Imagine several users log on and store lots of files in My Docs or desktop, then print a big colour file to a slow printer. All of a sudden you have no spare disk space so changes to DNS, AD etc cannot be written and AD falls over.

[goose]

Thanks for the reply AdamV. I setup my TS GPO to use Use GP loopback processing mode and set it to "Replace". Now the next part I'm not 100% sure about.

you need to link a policy to the server (so in this case to the DCs OU) which uses loopback to apply user policies to anyone logging on to the server, but not when the same user account logs on to a machine outside that OU.

Should I link the "TS Lockdown" policy to my DC's OU? And should that be linked before the Default Domain Controller Policy? I guess I'm still a little fuzzy on how I can get two groups of users to connect to the same server but recieve different policies. I've attached a screen of my current setup (inherited from the previous admin). I've crossed out the policies that I want to get rid of. Thanks again for your help.

Link