I have a problem: users are connecting to our terminal server via remote desktop, and then creating VPN connections from it to another server, which then changes the networking and stops all ability to remote desktop into the server.
We'd like to be able to remove a standard user's ability to create or connect VPN connections from the windows 2008 R2 terminal server, and to this end we created GPOs which are supposed to do just this (User Configuration \ Administrative Templates \ Network \ Network Connections), however it's still possible for users to create connections 🙁 Loopback processing is enabled, and RSoP shows the policies applying to the user on that server, so…
As a temporary workaround I've set the IP Helper Service (which seems to be required to initiate the VPN connection, or at least to do the local routing modifications) to startup type "Disabled". It doesn't seem to be required for anything else we need on that server, though I don't know enough about the service to be sure.
Am I doing something obviously wrong? Has anyone got any good suggestions on how I can achieve this? Or is what I'm trying to do the wrong thing for some reason?
Best Answer
This might seen severe, but, if they don't need access to the control panel, I would suggest disabling user access to the entire control panel. I use this on a 2003 Terminal Server (yes, I know, not the same version). Basically this prevents the users from making any changes to the machine. Odds are, they probably don't need to anyways and are just mucking up the Terminal Server.
User/Policies/Control Panel/ Prohibit access to control panel
Though I am not sure if this will work in your situation or not as it is dictated by how much access the users need when they RDP in.
Also, there is a GP that will override the TCP/IP advanced settings if the user is an administrator. You might want to check and make sure the users didn't make themselves local admins. They might be overriding the policy that way.