Solved

Default Domian Group Policy Objects

Posted on 2006-11-09
10
240 Views
Last Modified: 2010-04-11
Hi

I have question from a MS 290 paper that im not clear on


You have a network that runs all win20003 computers.

Three of the servers are Terminal Servers

The company hires 20 temporary staff, and you create an account for each one.

You need to prevent the temp staff from logging onto the Terminal servers.


The answer says. On the Terminal services profile tab for the user account, disable the option to log onto a terminal server.

I understand that. But I do not get why the following will not work

"Modify the Default Domain Group Policy Object (GPO). You should configure a computer level policy to prevent the temporary staff from connecting to the terminal servers"

Why would that not work......If it says modify the policy to prevent the temp staff from getting access, surely that is what you wanted


Thanks
0
Comment
Question by:LFC1980
  • 4
  • 3
  • 3
10 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 17908096
Now, which policy exactly would you configure how to achive this result?
There just aren't policies for everything, and there's no computer policy to prevent a group from users logging on to a terminal server.
0
 

Author Comment

by:LFC1980
ID: 17910497
Ah ok.

Cheers mate
0
 

Author Comment

by:LFC1980
ID: 17910543
....sorry. Was just about to make a note of what you said, but in the practise paper it says the only reason the that would not work is, because it will affect all users.

Is the paper printed wrong? Or is there just NO possible way what so ever to prevent access to a terminal server via policy?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 84

Expert Comment

by:oBdA
ID: 17912797
You can disable remote connections completely through a computer policy, but not for a group of users. Check the policies in Computer Configuration\Administrative Templates\Windows Components\Terminal Services.
In those questions, just because something sounds reasonable and doable does not mean it can actually be done that way.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17913390
You can implement a group policy for a group of users by setting the security for 'Apply Group Policy' on the GPO to just the group of users you want.
Of course, this only works if those users are in a OU where the GPO is applied to.
The setting you are looking for is: /Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Allow Users To Connect Remotely using Terminal Services. Set it to Disbaled.

Also by modifying the Default Domain GPO this indeed applies to ALL users. That's why it is the default. GPO are inherited by default, so the Default Domain GPO is the highest level inhertied by all OU's under it. You should create a seperate GPO, you don't want to change the security on the Default Domain GPO.

J.

0
 
LVL 84

Accepted Solution

by:
oBdA earned 63 total points
ID: 17913447
Again: This is a *computer* policy; it can *not* be restricted to a group of *users*.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17913900
oBda, I'm restricting access to terminal services using user groups for more then 5 years.
But *not* like I mentioned above. Don't know what happened. Must be because we are Friday.
I'm very very sorry about that :-(

OK, the correct way is through 'Terminal Services Configuration' (on the terminal server itself).
Then open Connections/RDP-TCP.
You'll find a tab 'Permissions' where you can enable and disable user access per user of group.

J.
0
 

Author Comment

by:LFC1980
ID: 17947111
So who is right?
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 63 total points
ID: 17947664
Both. I'll explain:
My first statement was wrong, my last is correct.
Which also means that it can not be done using a GPO, only through Terminal Services Configuration combined with a group.
That makes oBda also right ;-)

J.
0
 

Author Comment

by:LFC1980
ID: 17948185
Ah right

Cheers guys
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question