I’ve done this twice now and it annoys me every time I do it.

I set up a server in a SBS 2008 domain.  I join it to the domain.  It initially goes into the SBScomputers OU that has a prebuilt group policy to allow for remote desktop and firewall exclusions for remote desktop.  I change the server from the SBSComputers OU to the SBSServers OU and if I don’t remember to then manually go back in to the system/remote tab and edit the ability to remote into the server I’ve locked myself out.

So I built a group policy rule so I won’t do that anymore.

First build a WMI filter:

Launch the group policy management console.  Go in the WMI Filter section, right mouse click and click new.  Title up the policy, put in a description, click add.

Leave the root\CIMv2 namespace as is and in the Query section copy and paste in:

Select * from WIN32_OperatingSystem where ProductType=3

You will note that in the Windows SBS Client the query value is like this:

select * from Win32_OperatingSystem Where ProductType!=2

The “!” stands for “does not equal” so that one reads “filter on everything BUT the Domain controller.  The one I’m building is specifically targeting Server OS’s.


Select * from WIN32_OperatingSystem where ProductType=1
Domain Controller
Select * from WIN32_OperatingSystem where ProductType=2
Select * from WIN32_OperatingSystem where ProductType=3

Now we go into the SBSServer OU, right mouse click and click on “Create a GPO in this domain and Link it here”

 Call the group policy something descriptive.  Now go down to Computer Configuration, then to Policies, then to Administrative templates, then to Windows components, then to Terminal Services, then to Terminal Server, then to Connections,  and ensure that “Allow users to connect remotely using Terminal Services” is enabled. 

Next go to  Computer Configuration, then to Policies, then to Windows Settings, then to Security settings then to Windows Firewall with Advanced Network Security and go to inbound rules.

Right mouse click and click on “New Rules”.  Choose predefined rules and choose Remote Desktop (TCP-IN), then Distributed Transaction Coordinator, then Windows Management Instrumentation.  You can thin these down if you like, but for me those three core ones allow me to manage the box remotely better.

So the resulting firewall will look like this:

So there you go, a specific group polcy for member servers.

Word of advice when setting up servers that later will be installed in an office or remote location.  Stick logmein free on there until you get the server stable and policies working just so.  You can accidentally log yourself out of RDP, but chances are the logmein beacon will still work just fine so you can figure out what you did and undo it.


Comments are closed.