GPO for users when they log into Terminal Servers

Is there anyway that you can setup a GPO so that you can use the User configuration portion of GPOs for users when they log into a terminal server, but not have the GPO apply when they log into their local workstation?
ryankowskiCEOAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
Yes, with the "Loopback" feature.
1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better).
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
0
 
ryankowskiCEOAuthor Commented:
I will attempt this over the weekend and give you the points once I verify
0
 
ryankowskiCEOAuthor Commented:
One thing to note - group policies is under system in Adminstrative Templates
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
ryankowskiCEOAuthor Commented:
Another question - because we are doing some testing with our apps, we are using half 2000 Terminal Servers and half 2003. I have implemented the policies as instrcuted above. All Servers are in the same OU. The 2000 servers have the policies loaded, but the 2003 do not. I even tried doing a gpupdate /force, but I check with gpresult that it doesn't apply - any reason why?
0
 
oBdACommented:
Did you reboot the machines after you enabled the loopback policy? If not, do so.
0
 
ryankowskiCEOAuthor Commented:
yes - I rebooted and still no luck
0
 
ryankowskiCEOAuthor Commented:
I figured it out - I have Network Load Balancing on these servers. Once I disabled the NIC and rebooted it applied. I then enabled it and everything still works.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.