TS GPO AD General Infrastructure

[arlesterc]

When I started out with Terminal Services on Windows 2000 I used as a guide a book from Todd Mathers called Windows NT/2000 Thin Client Solutions and have been using his recommendations ever since. We are not planning to go to Windows 2008 and I thought it might be a good time to revisit our methodology and have a second pair of eyes/experience look over the idea being that 'It's working' does not mean it's working as good as it might. It's good to question one's 'basic' assumptions every once in a while.

I'm not sure if anybody responding will be familiar with the book but here are the steps recommended in the book that we have implemented and been running for years.

1) Create a separate Terminal Services OU in the domain

2) Under the TS OU create two OU's - Terminal Servers and Terminal Server User Groups

3) Create 3 GPO's and apply to the Terminal Servers OU

a) TSServers
Enable Block Policy inheritance
Disable User Configuration Settings
Permission: Authenticated Users System TS-Admins

Full Control

Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow


Loopback Policy - replace mode
Delete Cached Copies of Roaming Profiles

b) AllTSUsers Policy (Includes Admin)
Disable Computer Configuration Settings

Permission: Authenticated Users System TS-Admins

Full Control Allow

Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Allow

Enable: Do Not Track Shell Shortcuts During Roaming
Enable: Disable UI to Change Menu Animation Settings
Enable: Add Logoff to the Start Menu
Enable: Disable and REmove the Shut Down Command
Enable: Do Not Use the Search-based Method When Resolving Shell Shortcuts
Enable: No Screen Saver
Enable: Group Policy Refresh Interval - 1440 (24 hours)

c) RegularTSUSERS (not including Admins)


Disable Computer Configuration Settings

Permission: Authenticated Users System TS-Admins

Full Control

Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Deny

Wndows Settings\Folder Redirection - I redirect My Documents and Application Data to a network share

Administrative Templates\Windows Components\Windows Explorer
Enable: Removes the Folder Options Menu From the Tools Menu
Enable: Hide Hardware Tab

Administrative Templates\Start Menu & Taskbar
Enable: Disable and Remove Links to Windows Update
Enable: Remove Network & Dial-up
Enable: Disable Changes to Taskbar and Start Menu Settings

Administrative Templates\Desktop
Enable: Prohibit User From Changing My Documents Path

Administrative Templates\Control Panel
Enable: Disable Control Panel

Administrative Templates\Systems
Enable: Disable Registry Editing Options

I would appreciate if somebody/sombodies could critique the above for our present 2000 environment - how we might do things different and better - we are still going to be running 2000 for another year - and also offer some guidance as to how we should modify the above for 2008 R2.

Any input is appreciated in advance,

Arlester Christian

[Micah45]

I am also thinking to develop a forum like this one, really impressive work

[marrydavidson101]

thanks for sharing this post and thanks for one thing too for ur effort to disable signature form cp