Prev: Local Printers not recognized
Next: MsGina 1010
From: TBakk on 13 Mar 2006 22:06
Does anyone know a way of restricting a given 2003 domain account
so that it can only logon to a Windows 2000 Terminal Server during a certain
window of time, WITHOUT using the normal
'Logon Hours' restrictions for a domain account (as these would
prevent the account from logging into the network at all during this
time)?


We have some users in a branch office who use one of our Terminal
Servers at the head office over a WAN link during their normal
business hours. We would like to be able to prevent them from logging
into the Terminal Server from home without preventing them doing so
during the day. We can't use the normal 'Logon Hours' restrictions
for their accounts because they will sometimes work late at the office
and will need to be able to logon to their local network (which is
part of the head office domain) during off hours. We can't disable
Terminal Services between certain hours as other people from different
offices (and their homes) use the same Terminal Server at all times of
day/night... and for the same reasons we can't put IP address/subnet
restrictions in place to allow only certain networks to connect. If
it was possible to either set the logon hours on their domain accounts
just for Terminal Services seperately from the normal network login,
or restrict logons to a specified client host (similar to the 'Logon
To...' settings for a normal domain account) it would be perfect.


I'm beginning to think this can't be done without using third-party
tools... unless someone can think of some way to apply group policies
only during certain times of day, or similar...?


I could probably acheive this in a very messy way using logon scripts
and third-party tools to check whether the client is connecting via a
TS client, but would prefer not to.


Tony


From: Jeff Pitsch on 14 Mar 2006 09:29
I believe you would need a 3rd party product like Citrix Presentation Server
or do some fancy scripting.

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"TBakk" <newsgroups(a)zombieware.com> wrote in message
news:OsEIYRxRGHA.4740(a)TK2MSFTNGP14.phx.gbl...
> Does anyone know a way of restricting a given 2003 domain account
> so that it can only logon to a Windows 2000 Terminal Server during a
> certain window of time, WITHOUT using the normal
> 'Logon Hours' restrictions for a domain account (as these would
> prevent the account from logging into the network at all during this
> time)?
>
>
> We have some users in a branch office who use one of our Terminal
> Servers at the head office over a WAN link during their normal
> business hours. We would like to be able to prevent them from logging
> into the Terminal Server from home without preventing them doing so
> during the day. We can't use the normal 'Logon Hours' restrictions
> for their accounts because they will sometimes work late at the office
> and will need to be able to logon to their local network (which is
> part of the head office domain) during off hours. We can't disable
> Terminal Services between certain hours as other people from different
> offices (and their homes) use the same Terminal Server at all times of
> day/night... and for the same reasons we can't put IP address/subnet
> restrictions in place to allow only certain networks to connect. If
> it was possible to either set the logon hours on their domain accounts
> just for Terminal Services seperately from the normal network login,
> or restrict logons to a specified client host (similar to the 'Logon
> To...' settings for a normal domain account) it would be perfect.
>
>
> I'm beginning to think this can't be done without using third-party
> tools... unless someone can think of some way to apply group policies
> only during certain times of day, or similar...?
>
>
> I could probably acheive this in a very messy way using logon scripts
> and third-party tools to check whether the client is connecting via a
> TS client, but would prefer not to.
>
>
> Tony
>
>


 | 
Pages: 1
Prev: Local Printers not recognized
Next: MsGina 1010