Solved

Where can I find Administrative Templates for Group Policy?

Posted on 2008-10-24
16
1,345 Views
Last Modified: 2012-08-13
I am trying to locate Administrative templates for Group Policy. I went to the Microsoft website listed below but they do not list any for Windows Server 2003 SP2. The specific templates I am looking for are the ones in which I can edit the Desktop, Control Panel, and Start Menu settings. I have these templates listed in the 'User Configuration' side of the Group Policy but I need them in the 'Computer Configuration' side. Is it not possible to control these using Computer Configuration? Thanks.

http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en
0
Comment
Question by:kpurchase
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 5

Expert Comment

by:gzarnick
ID: 22796621
0
 

Author Comment

by:kpurchase
ID: 22796850
All that site does is list the standard set of ADM files which we already have. I need to find the specific template that controls the desktop, control panel...etc.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797711
per MicroSoft (refers primarily to user interface)
-----
Administrative templates provide Group Policy setting information for the items that appear under Administrative Templates. Group Policy tools use Administrative template files to populate policy settings in the **user interface**. This allows administrators to manage registry-based policy settings.

however you can add Administrative Templates

Note Administrative Templates are available under either Computer or User Configuration. Select the configuration that is correct for your custom template.

See this article
http://support.microsoft.com/kb/816662


 
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797745
It allows you to add the ADMINISTRATIVE TEMPLATES
under either Users or ....computers
those templates will allow you to configure the desktop etc
both for users or...if you prefer based on computer
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797799
here is a print screen
GPO-Admin-Template.doc
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22803655
No, these settings can not be configured under Computer Configuration.
What is it *exactly* you want to do, that prevents you from using the User Configuration?
0
 

Author Comment

by:kpurchase
ID: 22813028
Thank you for clearing that up oBdA. We cannot configure this by the user because we only want the Group Policy to apply when the user logs into our Terminal Server. We don't want the Group Policy to apply when they log into there normal desktop. We can't change the stucture of the OU's becuse there are other GPO's being applied elsewhere. Do you have any ideas on how we could configure this?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 22815993
You need the "Loopback" feature for group policies.

1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration\Administrative Templates\Group Policies, "User group policy loopback processing mode". Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings. Do not use the "Loopback" GPO to configure other settings than the loopback feature (or only settings in "Computer Configuration")!
2. Now you can create additional GPO(s) for your *users* in this OU. Check "Disable Computer Configuration Settings" in those, you don't need them for user policies, and it speeds up GPO processing.  These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. For every TS GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. Remove the default "Authenticated Users" from the "Security Filtering" list, add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:kpurchase
ID: 22842925
Here's what I did:

I created a TS OU and put the Terminal Server in it.
Created a GPO with the loopback setting and user configuration disabled.
Created a GPO with the user setting I want to apply when on the terminal server with Computer settings disabled.

I am having one slight problem. I am using the acoount 'TestUSer' to test the group policy. The policy is being appled when I log into the terminal server as TestUser, but it's also being applied when I log into a regular desktop. Is there something I am missing?

Thanks,

James
0
 

Author Comment

by:kpurchase
ID: 22842935
Let me just clear up the second step. I created a GPO with the loopback setting enabled and set to 'Replace' and the user configuration disabled.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22843029
Your test account should *not* be in (or below) the TS OU.

OU "Terminalserver" --> GPO "Loopback", GPO "TSRestrictions"
  +-- TerminalServer
OU "Users"
  +-- TestUser
0
 

Author Comment

by:kpurchase
ID: 22843205
When I move TestUSer out of the TS OU the Group Policy is not applying on the Terminal Server and continues to apply on the normal desktop. If I do a gpresult on the Terminal server the Loopback GPO is being applied but the TSRestrictions is not listed. I have a group that I created called 'Untrusted' with the users that I want the policy applied to when they log into the TS. Where in AD should they be? Who should be in the listed in the Security Filtering?

Thanks.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22843922
As I said above: the user accounts may *not* be in or below the Terminalserver OU, otherwise the TS GPO will apply on desktop logons as well; other than that, it doesn't matter where the accounts are. In the security filtering for the TS User GPO, (only) the "Untrusted" group should be listed.
Have you restarted the TS after applying the Loopback GPO? In my experience, a simple gpupdate is not enough for the Loopback policy to apply.
0
 

Author Comment

by:kpurchase
ID: 22844461
I tried restarting the server but still no luck. I have moved all of the users out of the TS OU and now the policy is being applied on the TS and the normal desktop. I have only the Untrusted Group in the Security filtering for the TSRestrictions GP. Could the precendence of the two have something to do with it or the Enforced settings? Currently I have the TS GP first not enforced, then I have the TSRestrictions GP second enforced. Thanks for the help, I feel like we almost got it.

James
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22844595
There should be no need to enforce one of these GPOs unless you've blocked inheritance somewhere along the way.
Please post a screenshot (or recreate it in ASCII in the "Code snippet" box) of the relevant OU structure (that is, the OU where your user accounts are, the OU where your desktop policies are linked, and the TS OU), and where you've linked which policies.
0
 

Author Comment

by:kpurchase
ID: 22844707
I finally got it to work. The problem was not the GP it was that the user was not a member of one of the required domain groups, it was blocking it's access on the normal desktop. Thanks for your help oBda.

James
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

As with any other System Center product, the installation for the Authoring Tool can be quite a pain sometimes. This article serves to help you avoid making these mistakes and hopefully save you a ton of time on troubleshooting :)  Step 1: Make sur…
Many companies are making the switch from Microsoft to Google Apps (https://www.google.com/work/apps/business/). Use this article to learn more about what Google Apps has to offer and to help if you’re planning on migrating to Google Apps. It is …
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now