• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

Preventing server policies being applied to workstations

I have configured a standard end-user policy in Windows Server 2003 that is linked to the domain, in an environment where most users logon on as a terminal services session and run no applications locally.  This has caused a problem for the few users that do not logon as terminal services sessions.  The policies that were designed for the terminal service sessions are linked to the domain and are being applied to local workstations as well as TS sessions.

I have tried linking the policies to the server or domain controller groups, but they do not apply when I do this.

Trev
0
trevortucker
Asked:
trevortucker
  • 4
  • 2
  • 2
2 Solutions
 
Jay_Jay70Commented:
Hi trevortucker,

you can use group policy security filtering to deny the users applying the policy
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
trevortuckerAuthor Commented:
The problem here is that as well running off the workstation, these same users need to log in as Terminal Services sessions as well (eg - when working remotely), so denying users access to the GPO is not really going to work.

Trev
0
 
bilbusCommented:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260370

You need to configure a new GP, apply it to the OU with the TS server in it.
You need to set it up in loopback processing mode.

dont apply it to the whole domain, but only to the OU that holds the server.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
trevortuckerAuthor Commented:
I have basically done that, but do not know anything about loopback processing.  How do I set that?

Trev
0
 
Jay_Jay70Commented:
0
 
trevortuckerAuthor Commented:
I enabled that setting and it still isn't working.  Here is what I have:

2 x group policies - "Administrators" and "Users".  The Administrator's GPO is basically configured to give access to everything.  The User's GPO is configured to disable many features, such as screen saver, shutdown, regedit, command prompt, etc.  Both of these GPOs were configured under the domain object, which causes the problem detailed above.

I have deleted the GPO link to the domain object for both policies and instead linked them to the Servers OU.  ADS shows the server that users log on to in this OU.

Secondly, I created a "Workstations" GPO and linked it to the Workstations OU.  ADS shows all the workstations in this OU.

Finally, I have enabled loopback processing.

After completing these steps, it is not applying the Users GPO that is now linked to "Servers", when logging in to the server as a Terminal Services session.  I do not understand why it is not applying this GPO.

Trev
0
 
bilbusCommented:
you only need one policy

You need to link it to the terminal server's OU (with only the TS in there)

You dont like it to any other OU's

In security filtering you need to add the user's or groups you want this applyed to
You just add domain admins to the advanced seurity filtering "deny apply group policy"

I wish EE let you post Screen shots, i would let you see mine.

Did you enable loopback in the policy and reboot the TS, you need to reboot before it takes place?

http://support.microsoft.com/kb/231287/
0
 
trevortuckerAuthor Commented:
Have not rebooted.  Will try doing that after hours tonight.

Trev
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now