Solved

Group Policies applied to "TERMINAL SERVER USERS" group

Posted on 2004-04-14
1
443 Views
Last Modified: 2012-05-04
Please see the following article:

http://www.serverwatch.com/tutorials/article.php/1497881

In my opinion the suggested solution will only work if the Terminal Server is also a domain controller.

My TS is not a domain controller and I have not been able to get the above to work.

It would seem that I would have to use the "Local Computer/TERMINAL SERVER USERS" group to set the policy and not the "Domain/Local Computer/TERMINAL SERVER USERS", however, I don't see any way that can be done.

Currently, I have to create separte accounts for TS users that use TS from their desktop computer, otherwise the stringent policies I apply to the TS aslo apply to their desktop.
0
Comment
Question by:Packerland
1 Comment
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
To use different settings depending on whether the user logs on to his workstation or a Terminal Server, you'll need the "Loopback" feature.
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and the "Read Policy" permission for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370

Step-by-Step Guide to Understanding the Group Policy Feature Set
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now