Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Setting Group Policies for TSWEB Users

Posted on 2004-04-01
3
Medium Priority
?
439 Views
Last Modified: 2010-03-18
I am running TSWEB on Server 2000, I need to set group policies without locking out the administrator.  Is there another way other then creating an OU Group Policy in AD?(Microsoft Knowledge Base Article 278295.)  This way I need to create logon accounts for Temtinal Server users.  
0
Comment
Question by:adumawal
  • 2
3 Comments
 
LVL 5

Expert Comment

by:visioneer
ID: 10737361
TSWEB uses Terminal Services, so you can either create a Local Policy or use a Group Policy in AD.

A local policy will apply to the local system and everyone who logs into it, Administrator included.

A group policy will apply to only those people who you want it to, depending on where you place it in the tree.

My advice?  Forget the local policy and/or registry changes to lock down the system, because your Administrator will get this applied as well.  Create an OU in Active Directory, stick your server in the OU, create a GPO on the OU with your restrictions.  Then place your Domain Admin account in an OU underneath that one and block policy inheritance.
0
 
LVL 2

Accepted Solution

by:
pretxt earned 2000 total points
ID: 10738754
Correction:
A local policy will be overwriten by the domain policies.
In order to apply the restrictions to all users logging to the server you can do the following:

1. create a group policy and specify your settings
2.in computer configuration, specify "Group policy loopback policy processing" to Replace mode ... this will cause the computer to apply the user settings disregarding previous policies applying to that user
3. go to the security tab and give permissions  to Read & Apply GPO to the computer account of your server
4. for the domain admins group specify "Deny apply GPO"

This way you will have the GPO applied only to the server, and only to the users logging to the server, with the exceptions of domain administrators
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738772
pretxt is right, that's a better way of doing it.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Screencast - Getting to Know the Pipeline

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question