[ANSWERED] Locking down a Windows Terminal Server for Users who also log in elsewhere
Hi everyone! Got a question here about a Terminal Server I'm configuring [Windows Server 2003 R2].
:: Some Background Info ::
A department here in the school has a student information database in Access. They use an Access front end, and a MS SQL backend on the servers. I built that for them last year since before, they were using Access back ends and nothing was in sync. Now it is and everything works great. Each person has a file dsn on their ODBC configuration in their computers, and they're able to connect great. It's only 3 users at the moment. They each have their own desktops which are part of the overall staff systems and GPO's applied to Staff Computers and Staff Users.
Now they want to expand the database for homestay use. The database is for international students who come to visit the school for a term/year, this is the sole purpose of this department, to manage the international students. They now want to allow select homestay users from their houses access to the database, which currently they don't have. So I'll be making them an account and setting it to Log On To: [terminal server name] so they can only access the terminal server and no computers within our school if they come here.
:: What I need ::
Since I'll be installing the ODBC driver on the terminal server, and putting the access front end on the terminal server for TS users to access, I'll clearly need to create some policies on the server to restrict them to JUST doing what they need to do, and accessing only the program they need. My question is, how can I create policies that effect existing users on our network ONLY when they access this server? They have their normal policies they use when they log into their own systems, but they'll need more restricted policies when accessing the terminal server. Yes, I could create them new accounts, but I'd rather have them use the same one so they don't have to remember a ton of usernames and passwords since they already use a different one for student information, the access database, their email, their windows login, I don't want them to have another for the terminal server.
The only thing I can think of is a loopback policy that contains both computer configuration and user configuration [or two separate policies?] and place it under an OU with ONLY that server in it. Would that mean that any user configuration there is applied only to users who access that machine? That loopback policy wouldn't effect their normal login would it? Only other policies attached to that OU? I know I had a loopback policy awhile back attached to an OU for one thing only, but it effected all the other policies in that OU [I thought it only effected configuration in that policy].
That in theory should work, I think. Now, what do I do about administration of the server? Because I use my domain admin account to login to all the servers and perform updates and administration of the servers via RDC, wouldn't that loopback policy also apply to me, and cause me to be extremely restricted? How can I get around that?
Hopefully someone has some information for me, I apologize for making such a long post haha but I greatly appreciate anyone who reads it all and hopefully understands it. I tried to include as much information as possible to make it easier to understand the situation. Thanks so much!
