I think it would be better if you just clear the "Allow Logon to Terminal Service" attributes for all your users. Then you will come back and enable this attribute for any specific user you want to grant the right to. It's cleaner than trying to do this server-by-server. The problem with this, however, is that you will have to ALWAYS remember to clear this attribute from any new user account you create.
You can get snippets of codes to clear and set "Allow Logon to Terminal Service" from MS Script Center http://www.microsoft.com/technet/community/scriptcenter/default.mspx
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Zach Huseby
Sent: Wed 4/28/2004 7:45 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] blocking user access to terminal services via group policy
I'm having a hard time figuring out the best way to block terminal service access by user using group policy- is this something that can be addressed by a user configuration setting or is this an issue better handled on the terminal server- i.e. granting or denying 'log on locally' rights? I'm just getting started implementing GPOs so forgive me if this seems simple. Zach
