Solved

GPO don't work with remote desktop

Posted on 2004-03-26
2
284 Views
Last Modified: 2010-04-13
Hi,
I have created a GPO in AD on my W2k Server as follows:
OU=Terminal Services
Group=testGroup
User=testAccount

I have also moved the Terminal server named "pam_dev" (non-DC) into this OU
The Group Policy was created using both Computer/User ADM Templates.

On "pam_dev"  I also added the Group
On the securities tab I also selected the read and apply group on:
Authenticated users
Terminal Server user
testgroup

What I need is this:
Users log into Pam_dev using remote desktop, I only want them to have access to certain applications which I already specified on the template.  Logoff option only on the start menu which I also specified.

This is not working....what am I not doing correctly or what am I overlooking?????
I need to resolve this today!

Thanks so much.


0
Comment
Question by:kbergery
2 Comments
 
LVL 4

Expert Comment

by:berni1234
Comment Utility
i have solved it in this way:

associate the GPO to the OU Terminalservices

read+apply the GPO to everyone (so you never forget a user to put into TSE-Group)
deny "apply the GPO" for Domainadmins (so the Domain-Admin is not effected of the GPO)

Attention ! All user are restricted. Only Domain-Admins could use all apps.

If you have associated all, make a
secedit /refreshpolicy machine_policy /enforce
on the terminalserver
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
For policies to apply, the target object (user or computer) must reside in (or below) the OU in which the GPO is defined.
So if you have dedicated Terminal Server user accounts, make sure they're under the OU  (it is *not* enough to make a user from another OU member of a security group that is defined in the TS OU).

But using Terminal Services usually requires different settings depending on whether the user logs on to a Terminal Server session or on his desktop.
That's rather easy to do for the computer part, since it's actually two different machines; it's more complicated for the user part, since it's obviously always the same user logging on. If you need/want to have your user accounts in another OU, but still apply different policies for a user he logs on to a Terminal Server, you need the loopback feature.

1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now