Solved

About to give up...

Posted on 2004-03-31
4
396 Views
Last Modified: 2010-04-13
Ok I have read many articles here and other places and still can't get this to work.  Someone please try to explain in there words.

Trying to make separate group policy when logon to terminal server.  I have one DC and a member server with TS in app mode.  All win 2K.  I have created OU called terminal servers.  I have put the terminal server in that OU.  I have added a GPO called "Loopback" and have set the loopback option under computer configuration.  I have set the policy to "shut down the system" for only administrators.

When I log in as a normal domain user, I still have the option to shut down the system.  What gives?
0
Comment
Question by:donnatronious
4 Comments
 
LVL 10

Expert Comment

by:anupnellip
ID: 10722073
Well I dont think you need to create a policy to do this because by default only administrators & power user group has the right to shutdown the server .
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 10722869
Seems like you're on the right track. Your problem can probably solved by creating another GPO in which you define the "shutdown" (and/or other settings); use the "Loopback" GPO *only* for the loopback setting.

Just in case, here's a complete step-by-step procedure:

1. Create a new OU, put your Terminal Server(s) in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). Leave the default security settings of the GPO.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session (or better: anybody logging on to the server). Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
 

Author Comment

by:donnatronious
ID: 10726533
Ok cool it works.  I also denied this towards administrators and that works to.  Now, what is the best way too define a mandatory profile for users who login to this computer?
0
 

Expert Comment

by:surleysue
ID: 12995546
I was struggling with this in my spare time for some while. I discovered if a specific setting in the default domain GPO and the remote GPO in the terminal server OU were each configured, and differently, I could not get loopback to work. I removed the troublesome entries from the default policy, leaving the policy unconfigured in the default policy. Then the remote policy lookback worked. I added a GPO to the domain's list called "workstations" with the specific settings for the workstations. I'm taking this off my to-do list.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now