Für unsere deutschen Kunden Premier Support ist auch in deutscher Sprache verfügbar. Wir helfen Ihnen gerne bei allen Ihren Migrationsproblemen.
Specify Alternate Text

How to lock down a Terminal Server

A terminal can reside in an office, kiosk, classroom, laboratory, on a factory floor, or across the internet in another country while the server is in a secure server room. For example; Terminal Server can be used by Application Service Providers to provide access for multiple applications to customers over the Internet. In certain deployments, it might be necessary to restrict user activity to a predefined set of applications or Windows operating system functionality.

Put the Terminal Server in a special OU

There are several ways of locking down a Terminal Server. You can put all users in a special OU and apply a GPO to that group but the best way is to put the Terminal Server in its own OU and take it from there. Here is how you do that:

Open Active Directory Users and Computers from the Administrative tools. You can see that there is already an OU called 'SBSServers' but we are going to create a new OU called SBSTerminalServers.

How to lock down a Terminal Server

Right click the OU Computers and click new Organizational Unit and name it SBSTerminal Servers.

How to lock down a Terminal Server

Now we drag the Terminal Server (in my case it is called Virtual TS) to the newly created OU SBS Terminal Servers

How to lock down a Terminal Server

Create and apply the GPO that locks down the Terminal Server

Open Group Policy Management from the Administrative Tools. Right click Group Policy Objects and choose new. Name the the GPO 'Terminal Server Lockdown'.

How to lock down a Terminal Server

In the next picture you can see that the new GPO is listed but it does not do anything because it has not been configured nor has it been linked to any OU.

How to lock down a Terminal Server

Now we need to link and configure the new GPO.

How to lock down a Terminal Server

Choose the Terminal Server Lockdown GPO you just created.

How to lock down a Terminal Server

Loopback Processing explained.

In regards to terminal servers, the problem with Group Policy in its default configuration is that users who log into both a workstation and a terminal session will have the same policies applies.  Workstation policies are typically looser than what administrators want on a terminal server.  Administrators want strict control of the user’s session because of the multi-user nature of the terminal server.  So the administrator is left with a dilemma - do they lock down the user policy and have that affect the workstation as well as the terminal session or keep the GPO as it is and run the risk of the user taking down the server.  The answer is use loopback processing. Loopback processing is a GPO setting located in Computer Settings\Administrative templates\System\Group Policy and was originally put in Group Policy to handle kiosk type computers.  No matter who logs into this particular computer, they will get these users settings. Loopback processing is simply an option that allows the administrator to tell Group Policy to apply the User settings associated with this OU.  When enabling Loopback processing, the administrator has a choice of either Replace or Merge.  Enabling the Replace option tells Group Policy to ignore any other user settings that would typically be part of that user’s policy set and only apply the settings from this OU.  The merge option allows the other user settings to apply but the settings on this OU are applied last and are merged with the user’s policy set.  This means they override the other settings in case of a conflict.  For terminal services, loopback processing is usually applied as Replace.

Now we need to change the GPO with all kind of settings that will effectively lockdown the Terminal Server. One setting is very important and I will show you in the next screenshot which one that is. Right click the Terminal Server Lockdown GPO and choose edit.

How to lock down a Terminal Server

In order to force this GPO and have it supersedes and replace all other GPO's on the domain we need to set 'User Group Policy loopback processing mode'. Use the mode 'Replace'.

How to lock down a Terminal Server

What other changes you make to the Terminal Server Lockdown policy really depends on your situation. I have included in the download section of this site a sample of a Terminal Server Lockdown policy that you can use for your situation. For more information read this doc Locking Down Windows Server 2003 Terminal Server Sessions.

Related reading:

Allow unrestricted access to the Terminal Server for Administrators

After you have applied the Terminal Server Lockdown policy you will notice that it is even applied to the Administrator on your domain. That is not very handy and we want to change that. There is a knowledge base article that describes how to that but it is kind of confusing because it does not show you how to do that using the Group Policy Manager included in SBS 2003.

Again from the Group Policy Manager choose the Terminal Server Lockdown GPO and in the right pane choose 'Delegation'.

How to lock down a Terminal Server

Click on the Advanced button, select Domain Admins and check Deny at 'Apply Group Policy'. Next time you logon the GPO will not be applied to the Domain Admins group.

How to lock down a Terminal Server

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings

Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.