• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

Group Policies applied to "TERMINAL SERVER USERS" group

Please see the following article:


In my opinion the suggested solution will only work if the Terminal Server is also a domain controller.

My TS is not a domain controller and I have not been able to get the above to work.

It would seem that I would have to use the "Local Computer/TERMINAL SERVER USERS" group to set the policy and not the "Domain/Local Computer/TERMINAL SERVER USERS", however, I don't see any way that can be done.

Currently, I have to create separte accounts for TS users that use TS from their desktop computer, otherwise the stringent policies I apply to the TS aslo apply to their desktop.
1 Solution
To use different settings depending on whether the user logs on to his workstation or a Terminal Server, you'll need the "Loopback" feature.
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and the "Read Policy" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers

Step-by-Step Guide to Understanding the Group Policy Feature Set
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now