[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Apply different Group Policy to user in TS vs on PC

Posted on 2008-09-30
10
Medium Priority
?
544 Views
Last Modified: 2013-11-21
Hello all!  We have one terminal server in our environment (2k3) that we use for citrix.  We mainly just publish applications with it.  However, recently a need has arisen for a select few users to have a remote desktop session.  These users have pc's.  I need to apply a strict group policy to them whenever they log into the ica session, but don't want the settings to apply to them when they are logged into their pc's.  Any ideas??
0
Comment
Question by:JWL5537
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 400 total points
ID: 22609314
Create a GPO linked to the OU with the TS configuring
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

Create another GPO for the restricted users and configure security filtering to only apply to the group with the users. Link the GPO to the OU with the TS
0
 
LVL 4

Expert Comment

by:FourBeers
ID: 22611848
henjoh09 has the right idea, and there are two options in that loopback processing mode.  The loopback processing means that when you a apply a GPO to a computer (like your TS), any settings defined in the "User" section of that GPO are applied to users logging onto that computer. However, these settings can either be "merged" with settings applied by other GPOs, or they can "replace" them (so no other user GPOs settings are applied from other GPOs) so you just need to decide which is best for you.
0
 

Author Comment

by:JWL5537
ID: 22617764
Yes, but won't this affect their logins to the pc's as well?
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22618016
No, the meaning of using loopback processing for GPOs is to apply policies for users only when they logon to special computers like TS etc.
As you link the user-GPOs to the TS-OU, the policies will not apply when the users logon to computers outside of that OU.
0
 

Author Comment

by:JWL5537
ID: 22618864
This doesn't seem to be working.  I created a GPO and linked it just to the OU - not domain, with the loopback processing.  Made sure it was applied first.  Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain.  The users get the standard desktop when logging into the terminal server and pc.  However, when the GPO's are linked to the domain, they get the drummed down version that i'm looking for with the terminal server desktop.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22619146
What loopback processing mode did you use?
0
 

Author Comment

by:JWL5537
ID: 22619229
Replace.
0
 
LVL 4

Assisted Solution

by:FourBeers
FourBeers earned 400 total points
ID: 22621568
I notice you mention that you "Then, created a GPO for the terminal services users and filtered for the particular users and linked it to the OU with the terminal server and not the domain."

Just to check, the GPO with the loopback policy should only apply to the Terminal Server computer account, so the filtering should be unnecessary.  It only needs to apply to the Terminal Server computer account, and then any user logging onto that gets the cut-down settings in that GPO.  If you did have to use any filter, you'd want to add the TS server computer account.

So I'd just try checking the GPO is only linked to the Terminal Server OU with no filtering, and also check that the OU has no settings to block inheritence of GPOs.
0
 

Author Comment

by:JWL5537
ID: 23185841
Guys, sorry for the extremely delayed response.  We have had some things going on that moved this to the back burner extremely quickly.  

I am still confused on this, so i'm going to try to simplify things.  I have two GPO's - Terminal Server Computers and Terminal Server Users.  

Which one needs to be linked where?
Which one needs to have the users security settings on it for logging into the terminals server?
Keep in mind that we don't want these settings to apply to admins when they log onto the terminal server.

Thanks for all of your help!
0
 

Accepted Solution

by:
JWL5537 earned 0 total points
ID: 23193295
Got Microsoft on the phone yesterday.  Only the one policy with loopback processing is needed.  It only needs to be linked to the OU with the terminal servers contained within.  You will then need to edit the policy.  Right click on the policy name and go to properties.  You will then need to give users the ability to "Read" and "Apply Group Policy".  Make sure your administrators groups have the ability to Read, Write, Create Child, Delete Child.  You will need to DENY apply group policy.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question