• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1376
  • Last Modified:

Where can I find Administrative Templates for Group Policy?

I am trying to locate Administrative templates for Group Policy. I went to the Microsoft website listed below but they do not list any for Windows Server 2003 SP2. The specific templates I am looking for are the ones in which I can edit the Desktop, Control Panel, and Start Menu settings. I have these templates listed in the 'User Configuration' side of the Group Policy but I need them in the 'Computer Configuration' side. Is it not possible to control these using Computer Configuration? Thanks.

http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
0
kpurchase
Asked:
kpurchase
  • 7
  • 5
  • 3
  • +1
1 Solution
 
gzarnickCommented:
0
 
kpurchaseAuthor Commented:
All that site does is list the standard set of ADM files which we already have. I need to find the specific template that controls the desktop, control panel...etc.
0
 
DarinTCHSenior CyberSecurity EngineerCommented:
per MicroSoft (refers primarily to user interface)
-----
Administrative templates provide Group Policy setting information for the items that appear under Administrative Templates. Group Policy tools use Administrative template files to populate policy settings in the **user interface**. This allows administrators to manage registry-based policy settings.

however you can add Administrative Templates

Note Administrative Templates are available under either Computer or User Configuration. Select the configuration that is correct for your custom template.

See this article
http://support.microsoft.com/kb/816662


 
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
DarinTCHSenior CyberSecurity EngineerCommented:
It allows you to add the ADMINISTRATIVE TEMPLATES
under either Users or ....computers
those templates will allow you to configure the desktop etc
both for users or...if you prefer based on computer
0
 
DarinTCHSenior CyberSecurity EngineerCommented:
here is a print screen
GPO-Admin-Template.doc
0
 
oBdACommented:
No, these settings can not be configured under Computer Configuration.
What is it *exactly* you want to do, that prevents you from using the User Configuration?
0
 
kpurchaseAuthor Commented:
Thank you for clearing that up oBdA. We cannot configure this by the user because we only want the Group Policy to apply when the user logs into our Terminal Server. We don't want the Group Policy to apply when they log into there normal desktop. We can't change the stucture of the OU's becuse there are other GPO's being applied elsewhere. Do you have any ideas on how we could configure this?
0
 
oBdACommented:
You need the "Loopback" feature for group policies.

1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration\Administrative Templates\Group Policies, "User group policy loopback processing mode". Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings. Do not use the "Loopback" GPO to configure other settings than the loopback feature (or only settings in "Computer Configuration")!
2. Now you can create additional GPO(s) for your *users* in this OU. Check "Disable Computer Configuration Settings" in those, you don't need them for user policies, and it speeds up GPO processing.  These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. For every TS GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. Remove the default "Authenticated Users" from the "Security Filtering" list, add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
 
kpurchaseAuthor Commented:
Here's what I did:

I created a TS OU and put the Terminal Server in it.
Created a GPO with the loopback setting and user configuration disabled.
Created a GPO with the user setting I want to apply when on the terminal server with Computer settings disabled.

I am having one slight problem. I am using the acoount 'TestUSer' to test the group policy. The policy is being appled when I log into the terminal server as TestUser, but it's also being applied when I log into a regular desktop. Is there something I am missing?

Thanks,

James
0
 
kpurchaseAuthor Commented:
Let me just clear up the second step. I created a GPO with the loopback setting enabled and set to 'Replace' and the user configuration disabled.
0
 
oBdACommented:
Your test account should *not* be in (or below) the TS OU.

OU "Terminalserver" --> GPO "Loopback", GPO "TSRestrictions"
  +-- TerminalServer
OU "Users"
  +-- TestUser
0
 
kpurchaseAuthor Commented:
When I move TestUSer out of the TS OU the Group Policy is not applying on the Terminal Server and continues to apply on the normal desktop. If I do a gpresult on the Terminal server the Loopback GPO is being applied but the TSRestrictions is not listed. I have a group that I created called 'Untrusted' with the users that I want the policy applied to when they log into the TS. Where in AD should they be? Who should be in the listed in the Security Filtering?

Thanks.
0
 
oBdACommented:
As I said above: the user accounts may *not* be in or below the Terminalserver OU, otherwise the TS GPO will apply on desktop logons as well; other than that, it doesn't matter where the accounts are. In the security filtering for the TS User GPO, (only) the "Untrusted" group should be listed.
Have you restarted the TS after applying the Loopback GPO? In my experience, a simple gpupdate is not enough for the Loopback policy to apply.
0
 
kpurchaseAuthor Commented:
I tried restarting the server but still no luck. I have moved all of the users out of the TS OU and now the policy is being applied on the TS and the normal desktop. I have only the Untrusted Group in the Security filtering for the TSRestrictions GP. Could the precendence of the two have something to do with it or the Enforced settings? Currently I have the TS GP first not enforced, then I have the TSRestrictions GP second enforced. Thanks for the help, I feel like we almost got it.

James
0
 
oBdACommented:
There should be no need to enforce one of these GPOs unless you've blocked inheritance somewhere along the way.
Please post a screenshot (or recreate it in ASCII in the "Code snippet" box) of the relevant OU structure (that is, the OU where your user accounts are, the OU where your desktop policies are linked, and the TS OU), and where you've linked which policies.
0
 
kpurchaseAuthor Commented:
I finally got it to work. The problem was not the GP it was that the user was not a member of one of the required domain groups, it was blocking it's access on the normal desktop. Thanks for your help oBda.

James
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now