mickinoz2005
asked on
Terminal Services and Group Policy Access
Hi there,
A quick question I am wondering how to setup a group policy that would restrict users access as in locking down the desktop locking control panel etc, but only when they logged onto our terminal server. So if they log onto a normal workstation this policies are not applied just when they log onto our terminal server but obviously I don't want these policies to be applied to the administrator account at all especially on the TS.
As our users move around some times they will be on TS but not always so when they are on normal workstations they will need to have access to certain they wont when on TS.
I know it can be done just cannot work the logic out in my head.
Michael
A quick question I am wondering how to setup a group policy that would restrict users access as in locking down the desktop locking control panel etc, but only when they logged onto our terminal server. So if they log onto a normal workstation this policies are not applied just when they log onto our terminal server but obviously I don't want these policies to be applied to the administrator account at all especially on the TS.
As our users move around some times they will be on TS but not always so when they are on normal workstations they will need to have access to certain they wont when on TS.
I know it can be done just cannot work the logic out in my head.
Michael
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There is not security tab, that is only in windows 2000, so how to I deny the policy to run for administrators in Windows 2003.
Michael
Michael
My windows 2000 boxes have this tab.
Right click the TS OU
Select Properties
Grou Policy Tab
Highlight the Group Policy Object
Select Properties
There should be a security tab.
Right click the TS OU
Select Properties
Grou Policy Tab
Highlight the Group Policy Object
Select Properties
There should be a security tab.
ASKER
Yeah but I am not using Windows 2000 I am using 2003, and you use group policy managment tool in 2003 it does not look like 2000 so there is no security tab.
Michael
Michael
Ok I mis-understood what you were saying.
The tab or lack of one is not a result of 2000 vs 2003. Its a result of having group policy management installed or not.
I would go to a machine that does not have this utility installed and complete the security change. That is what I do.
I was not able to locate it in the GP Management tool as well. There is some basic functionality under the Delegation tab but nothing I can see that allows deny.
The tab or lack of one is not a result of 2000 vs 2003. Its a result of having group policy management installed or not.
I would go to a machine that does not have this utility installed and complete the security change. That is what I do.
I was not able to locate it in the GP Management tool as well. There is some basic functionality under the Delegation tab but nothing I can see that allows deny.
mickinoz2005,
What you are trying to do is called "User State Management". Server2003 SP1 and R2 will automatically sense where the user is logging in from and provide the necessary rights controls based on this login location or device.
For an overview and how-to's please see http://technet2.microsoft.com/WindowsServer/en/Library/23ee2a30-5883-4ffa-b4cf-4cfff3ff8cb71033.mspx
Jeff
TechSoEasy
What you are trying to do is called "User State Management". Server2003 SP1 and R2 will automatically sense where the user is logging in from and provide the necessary rights controls based on this login location or device.
For an overview and how-to's please see http://technet2.microsoft.com/WindowsServer/en/Library/23ee2a30-5883-4ffa-b4cf-4cfff3ff8cb71033.mspx
Jeff
TechSoEasy
ASKER
Hiya dmc,
Just wondering the lack of our tab for security is there no way to access this security tab without not having GPMC as all our servers have it.
Michael
Just wondering the lack of our tab for security is there no way to access this security tab without not having GPMC as all our servers have it.
Michael
If all you want is to modify security settings for a particular OU, then you can just go to the OU in ADUC > Right Click for Properties, and then you'll have a Security Tab which you can add a DENY setting for about 100 or so different conatiner objects... you need to change the "Apply Onto" setting to GroupPolicyContainerObject
Jeff
TechSoEasy
Jeff
TechSoEasy
No I have been unable to find these granular settings under the GPMC. Try installing the adminpack on a XP workstation and do it from there.
TechSoEasy this does not exist in ADUC once the GPMC has been installed.
Really? Hmmm... it does in mine.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Hiya,
Just following on from this, I created a ou for Terminal Computers and moved the TS into this ou. I then created a gp under this ou which in theory was going to apply to users when they logged in however it does not. I am trying to lock down the ts so they can't have access to certain areas but no users settings I specify work on this ou. Now I know that if I put computer settings they will work.
So how do I get this ou to apply user settings when the user logs into the TS.
Michael
Just following on from this, I created a ou for Terminal Computers and moved the TS into this ou. I then created a gp under this ou which in theory was going to apply to users when they logged in however it does not. I am trying to lock down the ts so they can't have access to certain areas but no users settings I specify work on this ou. Now I know that if I put computer settings they will work.
So how do I get this ou to apply user settings when the user logs into the TS.
Michael
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Maybe in this case its not reinventing the wheel more, changing the design, I want to control the level of access to the server. I don't want standard settings applied.
Is it possible to do what I want or not thats basically the question and if so how, got to be something simple.
Michael
Is it possible to do what I want or not thats basically the question and if so how, got to be something simple.
Michael
Of course it's possible, that's why I provided the link to that KB above... which describes exactly how to do it.
Jeff
TechSoEasy
Jeff
TechSoEasy
Right click on the OU and go to the group policy tab.
Click the check box for block inheritance.
This will prevent other policies from being applied to your terminal server.
In that same tab create a new Group Policy for Terminal Servers
For preventing administrators from getting the policy do the following.