Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Group Policy for Terminal Servers

I'm migrating my NT4 domain over to an Active Directory system.  However I'm having a problem setting up a Group Policy.  It relates to Terminal Server.

I have an OU with just the Terminal Servers in it.  Win2k Standard Server.  No users.  I have a seperate OU with the users in that.  The users sometimes log into the Terminal Server, sometimes into a PC.  When they log into the TS, I need a more restrictive policy to take effect.  All of the settings are only User based Policies, no computer based.

The rule I have works, but only if I apply it to Authenticated Users.  If I apply it to the group instead, it doesn't work.  I've tried loopback, but that didn't help.  I may not have done that right, I'm not sure.

Any guidance would be greatly appreciated.  This is my last obstacle to moving to AD for Win2k3.

  • 3
1 Solution
you need to apply loopback to a GP object

Also you need to reboot the TS server once you apply loopback

What loopback does is it lets you make changes to the USERS section, and have it apply only to the users when they login to the terminal server. Loopback will prevent the settings from being applyed to the users when loged into their workstations.

This write up works, i used it a while back

NDnickbAuthor Commented:
Ok, I think I've narrowed down my issues.  First problemw was "who" the GPO was being applied to.  I was using the Group Policy Management tool and couldn't get it to work with anyone but "Authenticated Users".  But by going through Users and Computers, I've been able to set it so the right person has read/apply settings, and the admins don't.

But that brings me to my next problem.  I can get the policy to work if I select a single person.  But if I apply it to a group, it doesn't.  What's really strange, is that if I log in as that user and have the rule only applied to the group, run GPResult, it doesn't show that the user is even in the Security Group.  What would cause that?  Any ideas.
NDnickbAuthor Commented:
I've just done some more testing.  First off, the group is a Global Group, not domain local.  If I apply it to that group, it still doesn't work.  But at least now the test user shows up as being in that group when I run a GPResult.  The GPO still doesn't work though when I apply it only to that group.

But if I remove that group and put in "Authenticated Users", then do a "deny" apply to Domain Admins and Enterprise Admins, it works.  Not the way it "should", but it gets the job done.

Any thoughts or can anyone fill me in on why it isn't working with my Security Group?
NDnickbAuthor Commented:
If anyone is interested, I've got it working.  What I needed was to add the computer account to the Global Security group.  Then it works.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now