Hi, when you are using windows 2003 as terminal server, there is the way of ading users or groups to the local group on the TS server, which is called RemoteDesktopUsers. You can add members to this group by using the restricted group policy in a domain....
You can simulate this on win 2000, when you configure an explicit domain group for access via RDP (use the terminal services configuration console for modifying the rdp connection permission). In the USer properties in active directory, you simply enable or disable the general access to ALL TerminalServers by removing the "allow logon to terminal server" on the terminal services profile tab. Hope that helps regards Volker regards > I think it would be better if you just clear the "Allow Logon to Terminal > Service" attributes for all your users. Then you will come back and enable > this attribute for any specific user you want to grant the right to. It's > cleaner than trying to do this server-by-server. The problem with this, > however, is that you will have to ALWAYS remember to clear this attribute > from any new user account you create. > > You can get snippets of codes to clear and set "Allow Logon to Terminal > Service" from MS Script Center > http://www.microsoft.com/technet/community/scriptcenter/default.mspx > > > Sincerely, > > Dèjì Akómöláfé, MCSE MCSA MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > > > From: Zach Huseby > Sent: Wed 4/28/2004 7:45 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] blocking user access to terminal services via group > policy > > > > I'm having a hard time figuring out the best way to block terminal service > access by user using group policy- is this something that can be addressed > by a user configuration setting or is this an issue better handled on the > terminal server- i.e. granting or denying 'log on locally' rights? I'm > just > getting started implementing GPOs so forgive me if this seems simple. > > Zach > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/