• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

GPO for users when they log into Terminal Servers

Is there anyway that you can setup a GPO so that you can use the User configuration portion of GPOs for users when they log into a terminal server, but not have the GPO apply when they log into their local workstation?
0
ryankowski
Asked:
ryankowski
  • 5
  • 2
1 Solution
 
oBdACommented:
Yes, with the "Loopback" feature.
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
0
 
ryankowskiCEOAuthor Commented:
I will attempt this over the weekend and give you the points once I verify
0
 
ryankowskiCEOAuthor Commented:
One thing to note - group policies is under system in Adminstrative Templates
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
ryankowskiCEOAuthor Commented:
Another question - because we are doing some testing with our apps, we are using half 2000 Terminal Servers and half 2003. I have implemented the policies as instrcuted above. All Servers are in the same OU. The 2000 servers have the policies loaded, but the 2003 do not. I even tried doing a gpupdate /force, but I check with gpresult that it doesn't apply - any reason why?
0
 
oBdACommented:
Did you reboot the machines after you enabled the loopback policy? If not, do so.
0
 
ryankowskiCEOAuthor Commented:
yes - I rebooted and still no luck
0
 
ryankowskiCEOAuthor Commented:
I figured it out - I have Network Load Balancing on these servers. Once I disabled the NIC and rebooted it applied. I then enabled it and everything still works.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now