Improve company productivity with a Business Account.Sign Up

x
?
Solved

Group Policy for specific users on Terminal Server

Posted on 2004-03-31
5
Medium Priority
?
710 Views
Last Modified: 2010-04-13
Can someone please tell me how I would go about setting up a Group Policy Object in Active directory that would only affect the intended Terminal Server and specific users that connect to it.  I don't want the policy carrying over to every Win2K Pro machine the user logs into log into, which is where I am now with the config.

Thank you
0
Comment
Question by:zCitrixz
  • 2
  • 2
5 Comments
 
LVL 86

Accepted Solution

by:
oBdA earned 1000 total points
ID: 10726158
Yes, there is a way to apply two different sets of policies depending on whether the user logs on to his desktop or a terminal session. MS calls it "Loopback" feature of group policies.

1. Create a new OU, put your Terminal Server(s) in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). Leave the default security settings of the GPO.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session (or better: anybody logging on to the server). Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
 

Author Comment

by:zCitrixz
ID: 10728065
Thanks ObdA!  I followed your instruction and everthing worked as it was supposed to.  One problem though.  In order to have this setup work, I had to move users to the Terminal Server OU I had made.  I would much prefer keeping them in the Users OU.  I creating a global security group with the users I wanted applied to the Terminal Server GPO and added the Group to the GPO with appropriate permissions.  This didn't work.  Is there a way to just have groups in the OU and not Users?

Thanks again
0
 
LVL 86

Expert Comment

by:oBdA
ID: 10730376
As said before, you do *not* need to move your users below the TS OU. Once the Loopback feature is activated, the specified GPOs will apply for *every* user logging on to a terminal session (unless prevented by security settings).
Make sure you use the "Loopback" GPO *only* to activate the Loopback; do not specify other policies in this GPO. Instead, create additional GPOs. Make sure as well that the security settings for the Loopback GPO are still at their default setting (Read/Apply for Authenticated Users).
Creating groups in an OU, putting users from another OU in those groups and then trying to apply GPOs to the "Group" OU will *not* work.

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups
http://support.microsoft.com/default.aspx?kbid=220822
0
 

Author Comment

by:zCitrixz
ID: 10732415
It's all working great now!  oBdA - your original comment was bang on.  I revisted the configuration and had messed something up with the LoopBack policy.

Thanks oBdA.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Read this post to discover how will you get your first iPhone App Approved by Apple. Make these necessary changes to prevent rejection of the app.
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question