Everyone has a little niggleing topic in their chosen profession, a tiny little thing that relates to a lot of the stuff you do everyday, but that you just don’t ‘get’…

With computing/networking, this happens a lot, but occasionally even reading and extensive googleing doesen’t help. It’s at this point you ask other people you know, and when they don’t know either, you’re fully foobared.

It’s a feeling second only to the horrible lack of answers created by googleing an issue and getting your own blog back as the only result!

Anyway, rambling hills of pretext over, for me, locking down terminal servers has always been one of these sore points. I have used AD a lot, through server 2000,2003,2008 and all the R2′s inbetween, happy with cli tools for complex replication debugging and delving into the LDAP bowls or crawling through kerberos/NTLM wireshark dumps, however;

Locking down terminal servers;
-User GPO’s apply to users, pretty much everywhere! no matter which machine they log on to, this is no good for locking down single machines!
-Computer GPO’s are much better, but lack a whole shed of useful tools for restricting or controlling user actions

So how to do it? I have come up with lots of bastardized ways in the past to achieve this kind of lock down, usually at the expense of ease of administration.

Until last week, a colleague found this:

http://support.microsoft.com/kb/231287

Loopback policy mode! It’s been there since Windows Server 2000!
Basically, this option within the computer policy section of a GPO was designed to tackle this exact problem, any computers that this policy get’s applied too, will also apply the (usually discarded) user policy section of that GPO to any users logging onto the machine!

Bloody brilliant! Why I have never found this is Google searches before is beyond me!

Anyway, the term ‘you learn something new every day’ had real significance because of this, hope it helps someone else out too!