Solved

Apply different Group Policy to user in TS vs on PC

Posted on 2008-09-30
10
538 Views
Last Modified: 2013-11-21
Hello all!  We have one terminal server in our environment (2k3) that we use for citrix.  We mainly just publish applications with it.  However, recently a need has arisen for a select few users to have a remote desktop session.  These users have pc's.  I need to apply a strict group policy to them whenever they log into the ica session, but don't want the settings to apply to them when they are logged into their pc's.  Any ideas??
0
Comment
Question by:JWL5537
  • 5
  • 3
  • 2
10 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 100 total points
ID: 22609314
Create a GPO linked to the OU with the TS configuring
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

Create another GPO for the restricted users and configure security filtering to only apply to the group with the users. Link the GPO to the OU with the TS
0
 
LVL 4

Expert Comment

by:FourBeers
ID: 22611848
henjoh09 has the right idea, and there are two options in that loopback processing mode.  The loopback processing means that when you a apply a GPO to a computer (like your TS), any settings defined in the "User" section of that GPO are applied to users logging onto that computer. However, these settings can either be "merged" with settings applied by other GPOs, or they can "replace" them (so no other user GPOs settings are applied from other GPOs) so you just need to decide which is best for you.
0
 

Author Comment

by:JWL5537
ID: 22617764
Yes, but won't this affect their logins to the pc's as well?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22618016
No, the meaning of using loopback processing for GPOs is to apply policies for users only when they logon to special computers like TS etc.
As you link the user-GPOs to the TS-OU, the policies will not apply when the users logon to computers outside of that OU.
0
 

Author Comment

by:JWL5537
ID: 22618864
This doesn't seem to be working.  I created a GPO and linked it just to the OU - not domain, with the loopback processing.  Made sure it was applied first.  Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain.  The users get the standard desktop when logging into the terminal server and pc.  However, when the GPO's are linked to the domain, they get the drummed down version that i'm looking for with the terminal server desktop.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619146
What loopback processing mode did you use?
0
 

Author Comment

by:JWL5537
ID: 22619229
Replace.
0
 
LVL 4

Assisted Solution

by:FourBeers
FourBeers earned 100 total points
ID: 22621568
I notice you mention that you "Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain."

Just to check, the GPO with the loopback policy should only apply to the Terminal Server computer account, so the filtering should be unnecessary.  It only needs to apply to the Terminal Server computer account, and then any user logging onto that gets the cut-down settings in that GPO.  If you did have to use any filter, you'd want to add the TS server computer account.

So I'd just try checking the GPO is only linked to the Terminal Server OU with no filtering, and also check that the OU has no settings to block inheritence of GPOs.
0
 

Author Comment

by:JWL5537
ID: 23185841
Guys, sorry for the extremely delayed response.  We have had some things going on that moved this to the back burner extremely quickly.  

I am still confused on this, so i'm going to try to simplify things.  I have two GPO's - Terminal Server Computers and Terminal Server Users.  

Which one needs to be linked where?
Which one needs to have the users security settings on it for logging into the terminals server?
Keep in mind that we don't want these settings to apply to admins when they log onto the terminal server.

Thanks for all of your help!
0
 

Accepted Solution

by:
JWL5537 earned 0 total points
ID: 23193295
Got Microsoft on the phone yesterday.  Only the one policy with loopback processing is needed.  It only needs to be linked to the OU with the terminal servers contained within.  You will then need to edit the policy.  Right click on the policy name and go to properties.  You will then need to give users the ability to "Read" and "Apply Group Policy".  Make sure your administrators groups have the ability to Read, Write, Create Child, Delete Child.  You will need to DENY apply group policy.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question