Just a caveat on this KB article. It becomes problematic if you have to make periodic changes to the local GP as you have to go through this lengthy process described in the KB each time. The article assumes that the local GP is not changing and relies on the fact that GPs that aren't changed don't get re-applied. That breaks when you make a change to the local GP or do a gpupdate /force to force a reapply of all policies. Not a very good article, in my opinion. ________________________________
From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC Sent: Tue 6/21/2005 2:50 PM To: [email protected] Subject: RE: [ActiveDir] Lock down server not in a domain using GPO There is a way to set a policy settin seperately for the users. see kb293655 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, June 21, 2005 8:12 AM To: [email protected] Subject: [ActiveDir] Lock down server not in a domain using GPO We have a terminal server we would like to use for clients to access some of our data that they need and this server should be locked-down so the clients can only do what they need. The problem is that management would rather this server not be a member of our domain so we cannot use AD GPOs to lock the server down. I looked into using local policies to lock down the machine, but found out that they would also affect the administrator account unless that group/account is denied 'read' permissions to the "..\system32\grouppolicy" folder. However, would this not deny editing of the policies in the folder as well. It has been suggested that we create a new AD domain solely for use with this terminal server. Is this a good idea? I tend to think this is too much solution. Can anyone make any suggestions on the best way to accomplish our goals? Thank you in advance, _________________________ Daniel DeStefano PC Support Specialist
<<winmail.dat>>
