-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >4. the user TS-User opens another connections to the terminalserver via >terminalserverclient. This time the sixth session >exceeds the userlimit. The system grants the user TS-User to log on. The >system denies access to the gpo hosted somewhere >on the share "sysvol". The gpo is N O T applied. The result is the user >TS-User sees an totally open desktop.He can do only >things according to his userrights due to membership of domain-user. But he >can do more than intended by the admin. Application mode terminal server configuration is a bit different than your standard console logon... Normally, you don't let user's log onto servers, but in the case of terminal services, you extend this functionality on purpose. It is important to have TS based security in place with tools like APPSEC.EXE that allow you to bring additional controls into play specifically for terminal services environments. Group Policy is a wonderful thing, but in the case of terminal services, it should something added on top of a already carefully secured terminal server. >If you try out what I am telling here, you will notice that even if the user >logs off once the gpo are applied successfully, the gpo >is not saved in the userprofile. If the gpo would have been saved to the >profile as claimed by Microsoft, the desktop would >have beed locked down even if the system denies access to the gpo. Mandatory profiles for terminal services users is a good thing... I belive an initial mandatory profile would keep this from happening. Though, I must say it is interesting that the GP is not applied when the license is exceeded. >As you will agree with me, neither the admin nor the TS-User are violating >any licensing issues. There is one user exceeding the 5-user limit. >The problem is the stupidity of the system by simply considering userlimits >more important than granting access to grouppolicies. Actually, no. It is a 5 "concurrent" user limit for per-server licensing. 5 of the same user is still 5 users, so the limit has indeed been reached. I think saying it is the "stupidity of the system" is a bit harsh. Personally, I would not be expecting the GP not to be applied, but at least the admin will get the event log telling you that. You are, after all, breaking the licensing agreement. But, as TS session licenses are different than normal user licenses, I can see how this would not be obvious. >Microsoft has been informed by mail on march 23, 2002. What did they say? I can image a "You're breaking the license agreement, Tough Luck" response, but it would also be interesting to see what their take on it technically was. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPLNo5IhsmyD15h5gEQIFfQCff+E+GQIiITfm9zVPG2dXrXI163cAnjFP rX4Cp0UAfALoG4fOwfPb+vTk =Ff47 -----END PGP SIGNATURE-----
