• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 547
  • Last Modified:

Apply different Group Policy to user in TS vs on PC

Hello all!  We have one terminal server in our environment (2k3) that we use for citrix.  We mainly just publish applications with it.  However, recently a need has arisen for a select few users to have a remote desktop session.  These users have pc's.  I need to apply a strict group policy to them whenever they log into the ica session, but don't want the settings to apply to them when they are logged into their pc's.  Any ideas??
0
JWL5537
Asked:
JWL5537
  • 5
  • 3
  • 2
3 Solutions
 
Henrik JohanssonSystems engineerCommented:
Create a GPO linked to the OU with the TS configuring
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

Create another GPO for the restricted users and configure security filtering to only apply to the group with the users. Link the GPO to the OU with the TS
0
 
FourBeersCommented:
henjoh09 has the right idea, and there are two options in that loopback processing mode.  The loopback processing means that when you a apply a GPO to a computer (like your TS), any settings defined in the "User" section of that GPO are applied to users logging onto that computer. However, these settings can either be "merged" with settings applied by other GPOs, or they can "replace" them (so no other user GPOs settings are applied from other GPOs) so you just need to decide which is best for you.
0
 
JWL5537Author Commented:
Yes, but won't this affect their logins to the pc's as well?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Henrik JohanssonSystems engineerCommented:
No, the meaning of using loopback processing for GPOs is to apply policies for users only when they logon to special computers like TS etc.
As you link the user-GPOs to the TS-OU, the policies will not apply when the users logon to computers outside of that OU.
0
 
JWL5537Author Commented:
This doesn't seem to be working.  I created a GPO and linked it just to the OU - not domain, with the loopback processing.  Made sure it was applied first.  Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain.  The users get the standard desktop when logging into the terminal server and pc.  However, when the GPO's are linked to the domain, they get the drummed down version that i'm looking for with the terminal server desktop.
0
 
Henrik JohanssonSystems engineerCommented:
What loopback processing mode did you use?
0
 
JWL5537Author Commented:
Replace.
0
 
FourBeersCommented:
I notice you mention that you "Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain."

Just to check, the GPO with the loopback policy should only apply to the Terminal Server computer account, so the filtering should be unnecessary.  It only needs to apply to the Terminal Server computer account, and then any user logging onto that gets the cut-down settings in that GPO.  If you did have to use any filter, you'd want to add the TS server computer account.

So I'd just try checking the GPO is only linked to the Terminal Server OU with no filtering, and also check that the OU has no settings to block inheritence of GPOs.
0
 
JWL5537Author Commented:
Guys, sorry for the extremely delayed response.  We have had some things going on that moved this to the back burner extremely quickly.  

I am still confused on this, so i'm going to try to simplify things.  I have two GPO's - Terminal Server Computers and Terminal Server Users.  

Which one needs to be linked where?
Which one needs to have the users security settings on it for logging into the terminals server?
Keep in mind that we don't want these settings to apply to admins when they log onto the terminal server.

Thanks for all of your help!
0
 
JWL5537Author Commented:
Got Microsoft on the phone yesterday.  Only the one policy with loopback processing is needed.  It only needs to be linked to the OU with the terminal servers contained within.  You will then need to edit the policy.  Right click on the policy name and go to properties.  You will then need to give users the ability to "Read" and "Apply Group Policy".  Make sure your administrators groups have the ability to Read, Write, Create Child, Delete Child.  You will need to DENY apply group policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now