Restricting SOME users to one login on one TS

[PreviousPoster]

I'm running AD on Windows 2003 server; TS on Windows 2000 servers. I need to restrict a select group of users to ONE login on ONE of the TS servers, while allowing others multiple logins to this server.

I have created a GPO configuring Computer Configuration/ Administrative Templates/ Windows Components/ Terminal Services/ Restrict Terminal Services Users to a single remote session - ENABLED.

I have added the Global group - gg_singleRemoteSession to the Security Filtering and applied this GPO to the OU holding the TS server that I need to restrict.

The other TS servers are in a different OU and they will need to continue to have multiple logins by everyone.

Yet, the policy doesn't seem to work as I hoped it would. I can still login to that server multiple times with the user account that is in the gg_singleRemoteSession group.

Can anyone give me some hints/suggestions as to what I seem to be missing?

thanks
mfsm

[jdobiash]

Unfortunately you won't be able to use User Groups to filter out Computer based policies, they only apply to the workstations (or in this case, the server) no matter who logs into it. In fact, only having users in your security group may negate the GPO all together (if you removed the "Authenticated Users" group) since the server isn't part of the group and can't get the policy applied to it. If you added the server to the group, the GPO would then apply, but as I mentioned, it would apply to everyone logging into it.

Oh, something else I just realized, I don't believe that option works on 2000 Servers, only in 2003.

[PreviousPoster]

You're right on only working with Windows 2003 - I did a filter and with 2000 the option doesn't show up.

OK - IS there a way to do what I need to do -- restrict particular users (I could even say particular computers) to a single login on one TS server yet allow them multiple logins on other TS servers?

There is a Progress DB that resides on this TS server and if a user logs into that DB twice, the DB will hang and crash so I'm just reviewing options... :roll:

[jdobiash]

Windows has no user tracking component so there isn't really anyway to restrict users from logging in multiple times. The only thing you could do is upgrade the TS Server to 2003 and turn on the single session mode (actually I think it defaults on), but this would apply to all users who log into that TS server.

Edit : You might be able to find a 3rd party product which lets you, however. Here is one I found doing a quick Google search:

http://www.engagent.com/newsite/products/product_UserLock.htm

Double Edit : Found this on Microsofts Website, never tried it but might looks interesting:

http://support.microsoft.com/?kbid=237282