?
Solved

Apply different Group Policy to user in TS vs on PC

Posted on 2008-09-30
10
Medium Priority
?
545 Views
Last Modified: 2013-11-21
Hello all!  We have one terminal server in our environment (2k3) that we use for citrix.  We mainly just publish applications with it.  However, recently a need has arisen for a select few users to have a remote desktop session.  These users have pc's.  I need to apply a strict group policy to them whenever they log into the ica session, but don't want the settings to apply to them when they are logged into their pc's.  Any ideas??
0
Comment
Question by:JWL5537
  • 5
  • 3
  • 2
10 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 400 total points
ID: 22609314
Create a GPO linked to the OU with the TS configuring
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

Create another GPO for the restricted users and configure security filtering to only apply to the group with the users. Link the GPO to the OU with the TS
0
 
LVL 4

Expert Comment

by:FourBeers
ID: 22611848
henjoh09 has the right idea, and there are two options in that loopback processing mode.  The loopback processing means that when you a apply a GPO to a computer (like your TS), any settings defined in the "User" section of that GPO are applied to users logging onto that computer. However, these settings can either be "merged" with settings applied by other GPOs, or they can "replace" them (so no other user GPOs settings are applied from other GPOs) so you just need to decide which is best for you.
0
 

Author Comment

by:JWL5537
ID: 22617764
Yes, but won't this affect their logins to the pc's as well?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22618016
No, the meaning of using loopback processing for GPOs is to apply policies for users only when they logon to special computers like TS etc.
As you link the user-GPOs to the TS-OU, the policies will not apply when the users logon to computers outside of that OU.
0
 

Author Comment

by:JWL5537
ID: 22618864
This doesn't seem to be working.  I created a GPO and linked it just to the OU - not domain, with the loopback processing.  Made sure it was applied first.  Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain.  The users get the standard desktop when logging into the terminal server and pc.  However, when the GPO's are linked to the domain, they get the drummed down version that i'm looking for with the terminal server desktop.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619146
What loopback processing mode did you use?
0
 

Author Comment

by:JWL5537
ID: 22619229
Replace.
0
 
LVL 4

Assisted Solution

by:FourBeers
FourBeers earned 400 total points
ID: 22621568
I notice you mention that you "Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain."

Just to check, the GPO with the loopback policy should only apply to the Terminal Server computer account, so the filtering should be unnecessary.  It only needs to apply to the Terminal Server computer account, and then any user logging onto that gets the cut-down settings in that GPO.  If you did have to use any filter, you'd want to add the TS server computer account.

So I'd just try checking the GPO is only linked to the Terminal Server OU with no filtering, and also check that the OU has no settings to block inheritence of GPOs.
0
 

Author Comment

by:JWL5537
ID: 23185841
Guys, sorry for the extremely delayed response.  We have had some things going on that moved this to the back burner extremely quickly.  

I am still confused on this, so i'm going to try to simplify things.  I have two GPO's - Terminal Server Computers and Terminal Server Users.  

Which one needs to be linked where?
Which one needs to have the users security settings on it for logging into the terminals server?
Keep in mind that we don't want these settings to apply to admins when they log onto the terminal server.

Thanks for all of your help!
0
 

Accepted Solution

by:
JWL5537 earned 0 total points
ID: 23193295
Got Microsoft on the phone yesterday.  Only the one policy with loopback processing is needed.  It only needs to be linked to the OU with the terminal servers contained within.  You will then need to edit the policy.  Right click on the policy name and go to properties.  You will then need to give users the ability to "Read" and "Apply Group Policy".  Make sure your administrators groups have the ability to Read, Write, Create Child, Delete Child.  You will need to DENY apply group policy.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question