Solved

Apply different Group Policy to user in TS vs on PC

Posted on 2008-09-30
10
532 Views
Last Modified: 2013-11-21
Hello all!  We have one terminal server in our environment (2k3) that we use for citrix.  We mainly just publish applications with it.  However, recently a need has arisen for a select few users to have a remote desktop session.  These users have pc's.  I need to apply a strict group policy to them whenever they log into the ica session, but don't want the settings to apply to them when they are logged into their pc's.  Any ideas??
0
Comment
Question by:JWL5537
  • 5
  • 3
  • 2
10 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 100 total points
ID: 22609314
Create a GPO linked to the OU with the TS configuring
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

Create another GPO for the restricted users and configure security filtering to only apply to the group with the users. Link the GPO to the OU with the TS
0
 
LVL 4

Expert Comment

by:FourBeers
ID: 22611848
henjoh09 has the right idea, and there are two options in that loopback processing mode.  The loopback processing means that when you a apply a GPO to a computer (like your TS), any settings defined in the "User" section of that GPO are applied to users logging onto that computer. However, these settings can either be "merged" with settings applied by other GPOs, or they can "replace" them (so no other user GPOs settings are applied from other GPOs) so you just need to decide which is best for you.
0
 

Author Comment

by:JWL5537
ID: 22617764
Yes, but won't this affect their logins to the pc's as well?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22618016
No, the meaning of using loopback processing for GPOs is to apply policies for users only when they logon to special computers like TS etc.
As you link the user-GPOs to the TS-OU, the policies will not apply when the users logon to computers outside of that OU.
0
 

Author Comment

by:JWL5537
ID: 22618864
This doesn't seem to be working.  I created a GPO and linked it just to the OU - not domain, with the loopback processing.  Made sure it was applied first.  Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain.  The users get the standard desktop when logging into the terminal server and pc.  However, when the GPO's are linked to the domain, they get the drummed down version that i'm looking for with the terminal server desktop.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619146
What loopback processing mode did you use?
0
 

Author Comment

by:JWL5537
ID: 22619229
Replace.
0
 
LVL 4

Assisted Solution

by:FourBeers
FourBeers earned 100 total points
ID: 22621568
I notice you mention that you "Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain."

Just to check, the GPO with the loopback policy should only apply to the Terminal Server computer account, so the filtering should be unnecessary.  It only needs to apply to the Terminal Server computer account, and then any user logging onto that gets the cut-down settings in that GPO.  If you did have to use any filter, you'd want to add the TS server computer account.

So I'd just try checking the GPO is only linked to the Terminal Server OU with no filtering, and also check that the OU has no settings to block inheritence of GPOs.
0
 

Author Comment

by:JWL5537
ID: 23185841
Guys, sorry for the extremely delayed response.  We have had some things going on that moved this to the back burner extremely quickly.  

I am still confused on this, so i'm going to try to simplify things.  I have two GPO's - Terminal Server Computers and Terminal Server Users.  

Which one needs to be linked where?
Which one needs to have the users security settings on it for logging into the terminals server?
Keep in mind that we don't want these settings to apply to admins when they log onto the terminal server.

Thanks for all of your help!
0
 

Accepted Solution

by:
JWL5537 earned 0 total points
ID: 23193295
Got Microsoft on the phone yesterday.  Only the one policy with loopback processing is needed.  It only needs to be linked to the OU with the terminal servers contained within.  You will then need to edit the policy.  Right click on the policy name and go to properties.  You will then need to give users the ability to "Read" and "Apply Group Policy".  Make sure your administrators groups have the ability to Read, Write, Create Child, Delete Child.  You will need to DENY apply group policy.
0

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
CITRIX XENAPP 6.5 FARM CUSTOM POLICY - CHANGE MANAGEMENT WINDOW REBOOT SCHEDULE
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now