NDnickb
asked on
Group Policy for Terminal Servers
I'm migrating my NT4 domain over to an Active Directory system. However I'm having a problem setting up a Group Policy. It relates to Terminal Server.
I have an OU with just the Terminal Servers in it. Win2k Standard Server. No users. I have a seperate OU with the users in that. The users sometimes log into the Terminal Server, sometimes into a PC. When they log into the TS, I need a more restrictive policy to take effect. All of the settings are only User based Policies, no computer based.
The rule I have works, but only if I apply it to Authenticated Users. If I apply it to the group instead, it doesn't work. I've tried loopback, but that didn't help. I may not have done that right, I'm not sure.
Any guidance would be greatly appreciated. This is my last obstacle to moving to AD for Win2k3.
Thanks.
I have an OU with just the Terminal Servers in it. Win2k Standard Server. No users. I have a seperate OU with the users in that. The users sometimes log into the Terminal Server, sometimes into a PC. When they log into the TS, I need a more restrictive policy to take effect. All of the settings are only User based Policies, no computer based.
The rule I have works, but only if I apply it to Authenticated Users. If I apply it to the group instead, it doesn't work. I've tried loopback, but that didn't help. I may not have done that right, I'm not sure.
Any guidance would be greatly appreciated. This is my last obstacle to moving to AD for Win2k3.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I think I've narrowed down my issues. First problemw was "who" the GPO was being applied to. I was using the Group Policy Management tool and couldn't get it to work with anyone but "Authenticated Users". But by going through Users and Computers, I've been able to set it so the right person has read/apply settings, and the admins don't.
But that brings me to my next problem. I can get the policy to work if I select a single person. But if I apply it to a group, it doesn't. What's really strange, is that if I log in as that user and have the rule only applied to the group, run GPResult, it doesn't show that the user is even in the Security Group. What would cause that? Any ideas.
But that brings me to my next problem. I can get the policy to work if I select a single person. But if I apply it to a group, it doesn't. What's really strange, is that if I log in as that user and have the rule only applied to the group, run GPResult, it doesn't show that the user is even in the Security Group. What would cause that? Any ideas.
ASKER
I've just done some more testing. First off, the group is a Global Group, not domain local. If I apply it to that group, it still doesn't work. But at least now the test user shows up as being in that group when I run a GPResult. The GPO still doesn't work though when I apply it only to that group.
But if I remove that group and put in "Authenticated Users", then do a "deny" apply to Domain Admins and Enterprise Admins, it works. Not the way it "should", but it gets the job done.
Any thoughts or can anyone fill me in on why it isn't working with my Security Group?
But if I remove that group and put in "Authenticated Users", then do a "deny" apply to Domain Admins and Enterprise Admins, it works. Not the way it "should", but it gets the job done.
Any thoughts or can anyone fill me in on why it isn't working with my Security Group?
ASKER
If anyone is interested, I've got it working. What I needed was to add the computer account to the Global Security group. Then it works.
https://www.experts-exchange.com/questions/21237058/Setting-up-Group-Policies-on-a-2003-terminal-server-in-a-2000-active-directory-domain.html
https://www.experts-exchange.com/questions/20852940/2000-terminal-server-policies.html
https://www.experts-exchange.com/questions/20243676/Group-Policy.html
https://www.experts-exchange.com/questions/20901885/Terminal-Server-Group-Policy.html
ADExpert