Put the Terminal Server in a special OU There are several ways of locking down a Terminal Server. You can put all users in a special OU and apply a GPO to that group but the best way is to put the Terminal Server in its own OU and take it from there. Here is how you do that: Open Active Directory Users and Computers from the Administrative tools. You can see that there is already an OU called 'SBSServers' but we are going to create a new OU called SBSTerminalServers. Right click the OU Computers and click new Organizational Unit and name it SBSTerminal Servers. Now we drag the Terminal Server (in my case it is called Virtual TS) to the newly created OU SBS Terminal Servers Create and apply the GPO that locks down the Terminal Server Open Group Policy Management from the Administrative Tools. Right click Group Policy Objects and choose new. Name the the GPO 'Terminal Server Lockdown'. In the next picture you can see that the new GPO is listed but it does not do anything because it has not been configured nor has it been linked to any OU. Now we need to link and configure the new GPO. Choose the Terminal Server Lockdown GPO you just created. Loopback Processing explained. In regards to terminal servers, the problem with Group Policy in its default configuration is that users who log into both a workstation and a terminal session will have the same policies applies. Workstation policies are typically looser than what administrators want on a terminal server. Administrators want strict control of the user’s session because of the multi-user nature of the terminal server. So the administrator is left with a dilemma - do they lock down the user policy and have that affect the workstation as well as the terminal session or keep the GPO as it is and run the risk of the user taking down the server. The answer is use loopback processing. Loopback processing is a GPO setting located in Computer Settings\Administrative templates\System\Group Policy and was originally put in Group Policy to handle kiosk type computers. No matter who logs into this particular computer, they will get these users settings. Loopback processing is simply an option that allows the administrator to tell Group Policy to apply the User settings associated with this OU. When enabling Loopback processing, the administrator has a choice of either Replace or Merge. Enabling the Replace option tells Group Policy to ignore any other user settings that would typically be part of that user’s policy set and only apply the settings from this OU. The merge option allows the other user settings to apply but the settings on this OU are applied last and are merged with the user’s policy set. This means they override the other settings in case of a conflict. For terminal services, loopback processing is usually applied as Replace. Now we need to change the GPO with all kind of settings that will effectively lockdown the Terminal Server. One setting is very important and I will show you in the next screenshot which one that is. Right click the Terminal Server Lockdown GPO and choose edit. In order to force this GPO and have it supersedes and replace all other GPO's on the domain we need to set 'User Group Policy loopback processing mode'. Use the mode 'Replace'. What other changes you make to the Terminal Server Lockdown policy really depends on your situation. I have included in the download section of this site a sample of a Terminal Server Lockdown policy that you can use for your situation. For more information read this doc Locking Down Windows Server 2003 Terminal Server Sessions . Related reading: Loopback processing of Group Policy Locking Down Windows Server 2003 Terminal Server Sessions Allow unrestricted access to the Terminal Server for Administrators After you have applied the Terminal Server Lockdown policy you will notice that it is even applied to the Administrator on your domain. That is not very handy and we want to change that. There is a knowledge base article that describes how to that but it is kind of confusing because it does not show you how to do that using the Group Policy Manager included in SBS 2003. Again from the Group Policy Manager choose the Terminal Server Lockdown GPO and in the right pane choose 'Delegation'. Click on the Advanced button, select Domain Admins and check Deny at 'Apply Group Policy'. Next time you logon the GPO will not be applied to the Domain Admins group.