?
Solved

Setting Group Policies for TSWEB Users

Posted on 2004-04-01
3
Medium Priority
?
449 Views
Last Modified: 2010-03-18
I am running TSWEB on Server 2000, I need to set group policies without locking out the administrator.  Is there another way other then creating an OU Group Policy in AD?(Microsoft Knowledge Base Article 278295.)  This way I need to create logon accounts for Temtinal Server users.  
0
Comment
Question by:adumawal
  • 2
3 Comments
 
LVL 5

Expert Comment

by:visioneer
ID: 10737361
TSWEB uses Terminal Services, so you can either create a Local Policy or use a Group Policy in AD.

A local policy will apply to the local system and everyone who logs into it, Administrator included.

A group policy will apply to only those people who you want it to, depending on where you place it in the tree.

My advice?  Forget the local policy and/or registry changes to lock down the system, because your Administrator will get this applied as well.  Create an OU in Active Directory, stick your server in the OU, create a GPO on the OU with your restrictions.  Then place your Domain Admin account in an OU underneath that one and block policy inheritance.
0
 
LVL 2

Accepted Solution

by:
pretxt earned 2000 total points
ID: 10738754
Correction:
A local policy will be overwriten by the domain policies.
In order to apply the restrictions to all users logging to the server you can do the following:

1. create a group policy and specify your settings
2.in computer configuration, specify "Group policy loopback policy processing" to Replace mode ... this will cause the computer to apply the user settings disregarding previous policies applying to that user
3. go to the security tab and give permissions  to Read & Apply GPO to the computer account of your server
4. for the domain admins group specify "Deny apply GPO"

This way you will have the GPO applied only to the server, and only to the users logging to the server, with the exceptions of domain administrators
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10738772
pretxt is right, that's a better way of doing it.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question