Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

Default Domian Group Policy Objects

Hi

I have question from a MS 290 paper that im not clear on


You have a network that runs all win20003 computers.

Three of the servers are Terminal Servers

The company hires 20 temporary staff, and you create an account for each one.

You need to prevent the temp staff from logging onto the Terminal servers.


The answer says. On the Terminal services profile tab for the user account, disable the option to log onto a terminal server.

I understand that. But I do not get why the following will not work

"Modify the Default Domain Group Policy Object (GPO). You should configure a computer level policy to prevent the temporary staff from connecting to the terminal servers"

Why would that not work......If it says modify the policy to prevent the temp staff from getting access, surely that is what you wanted


Thanks
0
LFC1980
Asked:
LFC1980
  • 4
  • 3
  • 3
2 Solutions
 
oBdACommented:
Now, which policy exactly would you configure how to achive this result?
There just aren't policies for everything, and there's no computer policy to prevent a group from users logging on to a terminal server.
0
 
LFC1980Author Commented:
Ah ok.

Cheers mate
0
 
LFC1980Author Commented:
....sorry. Was just about to make a note of what you said, but in the practise paper it says the only reason the that would not work is, because it will affect all users.

Is the paper printed wrong? Or is there just NO possible way what so ever to prevent access to a terminal server via policy?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
oBdACommented:
You can disable remote connections completely through a computer policy, but not for a group of users. Check the policies in Computer Configuration\Administrative Templates\Windows Components\Terminal Services.
In those questions, just because something sounds reasonable and doable does not mean it can actually be done that way.
0
 
PowerITCommented:
You can implement a group policy for a group of users by setting the security for 'Apply Group Policy' on the GPO to just the group of users you want.
Of course, this only works if those users are in a OU where the GPO is applied to.
The setting you are looking for is: /Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Allow Users To Connect Remotely using Terminal Services. Set it to Disbaled.

Also by modifying the Default Domain GPO this indeed applies to ALL users. That's why it is the default. GPO are inherited by default, so the Default Domain GPO is the highest level inhertied by all OU's under it. You should create a seperate GPO, you don't want to change the security on the Default Domain GPO.

J.

0
 
oBdACommented:
Again: This is a *computer* policy; it can *not* be restricted to a group of *users*.
0
 
PowerITCommented:
oBda, I'm restricting access to terminal services using user groups for more then 5 years.
But *not* like I mentioned above. Don't know what happened. Must be because we are Friday.
I'm very very sorry about that :-(

OK, the correct way is through 'Terminal Services Configuration' (on the terminal server itself).
Then open Connections/RDP-TCP.
You'll find a tab 'Permissions' where you can enable and disable user access per user of group.

J.
0
 
LFC1980Author Commented:
So who is right?
0
 
PowerITCommented:
Both. I'll explain:
My first statement was wrong, my last is correct.
Which also means that it can not be done using a GPO, only through Terminal Services Configuration combined with a group.
That makes oBda also right ;-)

J.
0
 
LFC1980Author Commented:
Ah right

Cheers guys
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now