Link to home
Start Free TrialLog in
Avatar of ljkal
ljkalFlag for United Kingdom of Great Britain and Northern Ireland

asked on

W2K3 Terminal Services Group Policy

I want to restrict TS users when they log in from home whilst giving them full access to their PC in the office.

I only have one 2003 Server in the office, the users can get in fine but any GP changes I make affect their office PC too.  Have tried looking at the Loopback feature but can't get it to work!

The only programs I want them to have access to are Word, Excel, Powerpoint, Access, Outlook and they are only to see the P: Public and U: Users folders.

Any help would be greatly appriciated - they want to run with it asap but I want to lock down first (I already have the MS White paper on what to lock down).

Thanks...
Avatar of Chryyys
Chryyys

Try using a local group policy instead of an Active Directory policy.   A local policy will only affect users when they log into the one machine, leaving their office PC's exactly as they are.
Avatar of ljkal

ASKER

I've created a new GPO for those guys and a new OU but with just one profile for each user obviously.  The thing is they'll want access from numerous PC's when they're in satelite offices, not just from one remote PC.

The annoying thing is I got it working, installed my licences afterwards and it all screwed - can't get it to work now!
Avatar of oBdA
You're on the right track;  with the loopback policy, you can indeed enable different policies depending on where the user logs on to:
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). Reboot the Terminal Servers when it's convenient, so that the new settings will apply.

2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.

To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS):
For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises; you can control who gets which policies applied by changing a user's group membership.

You can/should of course test this with a desktop machine or whatever that you put into a "loopback" OU.

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
Avatar of ljkal

ASKER

Man, I'm so happy you posted!  Read yr other comments and that's how I got it working ok in the first place, but as I said I installed my licences and it screwed.

I've created the new OU called 'Terminal Services', in there I've created a 'Group' of all the Users who want to work remotley.  But what do you mean my 'put my Terminal Servers in there'?, I tried dragging it over from the 'Built In' Folder but it doesn't move.
Sorry, you're heading in the wrong direction again.
You need a dedicated OU for your terminal servers, where no other machines reside. You do not need (actually, "may" not) put user accounts in that OU.
Actually, with "I only have one server in the office", dou you mean one (dedicated) terminal server, or is that server a DC as well?

If the server is your DC as well, then you don't need to create a separate OU; set the loopback policy and the additional GPOs in the Domain Controllers OU. It's important to create a dedicated GPO to enable the loopback mode as described above, and then additional GPOs for the user settings. But take really, really special care with the application of the GPOs, and make sure that your filtering works as described above! If you don't, you'll lock yourself out from the DC, as the loopback processing will apply the policies to *any* account logging on to the machine in question, if you don't work with GPO permissions! Try this on a test workstation in a separate OU first if you're unsure about the filtering.
Avatar of ljkal

ASKER

Ok, I have a single MS 2003 Standard Server as my DC.  I have deleted the TS dedicated OU.  I have now created a TS GPO that sits under my default GPO.  In the TS GPO Properties I have put a tick in the "Disable User Configuration Settings" box and have also gone into Computer Configuration - Administrative Templates - System - Group Policy and enabled (Replace) the "User Group Policy loopback processing mode".

Now, for a simple test in this GPO I've gone into User Configuration - Administrative Tools - Windows Components - Internet Explorer - Browser Menus and Enabled "Hide Favorites Menu" (a pretty safe test!).

In the Properties - Security tab of this TS (Terminal Services) GPO I have Denied  "Apply Group Policy" to the Domain Admins and the Enterprise Admins.  (I have left the ENTERPRISE DOMAIN CONTROLLERS, SYSTEM, CREATOR OWNER, Authenticated Users as they appear).

This still doesn't apply my simple GP (Hide Favorites Menu) when I TS in???????????????  Do I have to add another User Group or users to this list?  What am I doing wrong???

Many thanks in advance...
You seem to have used the same GPO for the Loopback mode and the user setting; as I wrote before, this will NOT work. You need one GPO (you can leave the default permissions) to enable the Loopback feature, and an *additional* GPO (only applied to selected users by security filtering) for the user settings you want to apply.
The machine needs to be rebooted for the Loopback GPO to be applied and working.
Avatar of ljkal

ASKER

Aaaaaagh.  So I enable Loopback in my default GPO and uses my new TS GPO for the settings (restrictions) and put the affected users in the Security window?

Will try it now - nearly there - thanks for all this!
Avatar of ljkal

ASKER

Tried that and...

My new second GP applies to my TS user AND desktop user.  Arse.

To clarify, my default GPO has User Configuration Settings disabled and Loopback enabled (replace).  I made changes in my new TS GPO.  I created a user group to add my TS Users and added that in the Security as Read and Apply GP boxes ticked.

I know we're not far off but why isn't Loopback working now???????  Have rebooted PC and Server...
Are your user accounts below the OU in which you specified the user settings? If so, then that's why; as I wrote above, the user accounts may not be under the OU in which your TS is.
You need a setup that basically looks like this:

OU TS [GPO Loopback] [GPO TS Logon]
  +---- Terminal Server Account
OU User [GPO Desktop Logon]
  +---- User Accounts
Avatar of ljkal

ASKER

Gone through everything with a fine toothed comb and can only locate (under my domain in ADUC) Terminal Server Licence Servers (which won't won't move) which lives under "Builtin", and Terminal Server Computers, under Users.  I think I'm gonna re-build this Server as I no longer trust it after all the changes...Will get back to you guys...!
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I've found the following method easier ...

create an ou specifically for your terminal server ... find the server in the computers folder and drag to the new terminal server ou ... from there you can apply any machine GPO you'd like to link.  remember to disable the user configurations settings.  this way only the gpo applies to users logging into the terminal server ... not to their specific computers.

does the last solution work if the ts server is a dc?
should .. I can't think of any reason why it wouldn't ... unfortunately, it's machine specific so you'll need to have group policy manager on a local workstation or something so you can disable the policy if something goes haywire ...

this will also apply to users who log in locally ... so be careful.

only that you would have to drag it out of the default domain controllers container.  i have never done that, i just wasn't sure if it would be an issue or not.
Actually, if you do that you'll lose the domain controllers default policy ... which is important.  I don't recommend doing that.  since it's is a DC, I wouldn't create the whole OU thing ... if it's your only server, you can simply add the group policy to the Domain Controllers OU  If it isn't your only server, Create the OU and link the existing Domain Controllers default policy and then add the Terminal Server group policy.  again, make sure you have group policy manager or something on a workstation so you can edit the policy if necessary.  
Avatar of ljkal

ASKER

It IS the only server in my domain...