Solved

Terminal Services and Loopback processing

Posted on 2006-07-20
3
490 Views
Last Modified: 2008-02-26
I am attempting to build a Terminal Server to allow access to an accounting application to a few select users. Domain Is 2003 native and Terminal is 2003. I also want to enable the TS Lockdown GPO settings. I have created a seperate OU (container) for the terminal server and placed the server within. I enabled the loopback processing via a GPO on this container along with the TS Lockfdown GPO settings. Originally, I had created a group named TS Users and added the select few user accounts to this group- and placed this group within the container. This did not work,and in a previous question- I learned that you cannot apply GPO's to groups. Then I moved the select users accounts to the Terminal Server OU (container) and it DID work. They logged in, the application popped up, and all TS Lockdwon settings were applied.

BUT- when the users logged into their WORKSTATIONS, the TS Lockdown GPO settings applied to their accounts on their workstations as well. I did enable loopback processing for the GPO assigned to this container. What am I doing wrong? I want this GPO to ONLY apply when they are in a terminal session. When they are not in a term session, I want the standard GPO's link to the domain (ie. default domain policy, etc...) to apply. Please help...

If I delegate this to all authenticated users (read and apply GPO), will this apply to everyone on their individual workstations- or did this previously happen b/c I had placed the TS Users account in the container???
0
Comment
Question by:Trihimbulus
  • 2
3 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 17147224
Do NOT, I repeat, do NOT place the user account in or below the OU with the TS account where you applied the loopback policy. Put them back into a "normal" OU.
Once you apply a loopback policy to a computer, and then add user policies to this OU, the user policies will apply to ALL users logging on to that machine, regardless of which OU their accounts are in.
Use one GPO to enable the loopback setting only; leave the default permissions for this GPO, and disable the User Configuration (it's not needed, and disabling it will speed up the process a bit).
Create another GPO in which you configure the locked down settings for the users. To prevent locking out administrators, use the group you already created: remove the default "Authenticated Users" from the Read and Apply permissions of the TS user GPO, and set these permissions for the security group instead.
0
 

Author Comment

by:Trihimbulus
ID: 17147393
Thanks! Do I have to keep the "TS Users" security group in the container- or can it just be in the default Users container?

Do I need to set "Replace" for Loopback processing or "Merge"?

What part of the User Configuration in the Loopback GPO to I need to disable to speed things up?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 17147525
1. It doesn't matter at all in which OU the security group is stored.
2. The loopback mode to choose depends entirely on what suits you better.
3. This is not a policy; in the properties of the GPO, you can disable the user configuration or the computer configuration (or both). Since the user configuration isn't needed in the Loopback GPO, you can set this to disabled. In the same way, if you don't use Computer Configuration settings in the lockdown GPO, you could disable the Computer Configuration part in this one.

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to check the account lockout counter? 6 75
Backup DHCP Server 8 127
Exchange 2003 converted to VM but now email does not work 5 76
SSIS Paramater on start 2 22
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question