Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
10 days, 5 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Windows 2000 Group Policy
Posted on 2004-04-07
I've applied a domain wide policy for a corporate wallpaper for all users. That works fine. However, I would like to deny this policy when users log in to the terminal services server. I've tried to add the TS computer to the security of the GPO and deny the apply group policy permission, but it doesn't work. If I deny my user the same permission and log on, it works, but for some reason it wont deny for the computer account. Is there something that I'm missing?
Thanks!
Thanks!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
2
8 Comments
To enable a GPO on a computer account, the Computer Object must be in the container which the GPO is being applied... or the GPO must be applied to the container where the computer resides..
FE
FE
Tried your suggestion by creating an OU for the terminal services server computer and applying the GPO there, while denying the apply group policy permission for that computer. However, the same thing occurs, and the policy is still applied when I log into the terminal server.
Any thoughts?
Any thoughts?
I am missing something here also... must be the afternoon doldrums creeping up on me.. Did you try creating a separate policy for that container that did not include the wallpaper, and try actually applying it to the computer account..?? Instead of Deny..??
Active today
Trying to deny a *user* GPO to the Terminal Server *computer* will never work. The GPO user settings apply to users only, and it's always the same user, whether he's logging on to a workstation or to a Terminal Server. To use different settings depending on whether the user logs on to his workstation or a Terminal Server, you'll need the "Loopback" feature.
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and the "Read Policy" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
Step-by-Step Guide to Understanding the Group Policy Feature Set
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and the "Read Policy" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
Step-by-Step Guide to Understanding the Group Policy Feature Set
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
Thanks oBdA.. Just not thinking in TS mode today...!! Was hoping someone else would join in the fun here... :)
oBdA is the winner!! It works just as you said. Took me a while to find the Activate Loopback policy though. You are my hero, and now I can finally get back to slacking off! Thanks my friend!
Featured Post
Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat. The purpose of this eBook is to educate the reader about ransomware attacks.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Part One of the two-part Q&A series with MalwareTech.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month10 days, 5 hours left to enroll
624 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.