Solved

Where can I find Administrative Templates for Group Policy?

Posted on 2008-10-24
16
1,354 Views
Last Modified: 2012-08-13
I am trying to locate Administrative templates for Group Policy. I went to the Microsoft website listed below but they do not list any for Windows Server 2003 SP2. The specific templates I am looking for are the ones in which I can edit the Desktop, Control Panel, and Start Menu settings. I have these templates listed in the 'User Configuration' side of the Group Policy but I need them in the 'Computer Configuration' side. Is it not possible to control these using Computer Configuration? Thanks.

http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
0
Comment
Question by:kpurchase
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 5

Expert Comment

by:gzarnick
ID: 22796621
0
 

Author Comment

by:kpurchase
ID: 22796850
All that site does is list the standard set of ADM files which we already have. I need to find the specific template that controls the desktop, control panel...etc.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797711
per MicroSoft (refers primarily to user interface)
-----
Administrative templates provide Group Policy setting information for the items that appear under Administrative Templates. Group Policy tools use Administrative template files to populate policy settings in the **user interface**. This allows administrators to manage registry-based policy settings.

however you can add Administrative Templates

Note Administrative Templates are available under either Computer or User Configuration. Select the configuration that is correct for your custom template.

See this article
http://support.microsoft.com/kb/816662


 
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797745
It allows you to add the ADMINISTRATIVE TEMPLATES
under either Users or ....computers
those templates will allow you to configure the desktop etc
both for users or...if you prefer based on computer
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797799
here is a print screen
GPO-Admin-Template.doc
0
 
LVL 84

Expert Comment

by:oBdA
ID: 22803655
No, these settings can not be configured under Computer Configuration.
What is it *exactly* you want to do, that prevents you from using the User Configuration?
0
 

Author Comment

by:kpurchase
ID: 22813028
Thank you for clearing that up oBdA. We cannot configure this by the user because we only want the Group Policy to apply when the user logs into our Terminal Server. We don't want the Group Policy to apply when they log into there normal desktop. We can't change the stucture of the OU's becuse there are other GPO's being applied elsewhere. Do you have any ideas on how we could configure this?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 22815993
You need the "Loopback" feature for group policies.

1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration\Administrative Templates\Group Policies, "User group policy loopback processing mode". Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings. Do not use the "Loopback" GPO to configure other settings than the loopback feature (or only settings in "Computer Configuration")!
2. Now you can create additional GPO(s) for your *users* in this OU. Check "Disable Computer Configuration Settings" in those, you don't need them for user policies, and it speeds up GPO processing.  These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. For every TS GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. Remove the default "Authenticated Users" from the "Security Filtering" list, add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
 

Author Comment

by:kpurchase
ID: 22842925
Here's what I did:

I created a TS OU and put the Terminal Server in it.
Created a GPO with the loopback setting and user configuration disabled.
Created a GPO with the user setting I want to apply when on the terminal server with Computer settings disabled.

I am having one slight problem. I am using the acoount 'TestUSer' to test the group policy. The policy is being appled when I log into the terminal server as TestUser, but it's also being applied when I log into a regular desktop. Is there something I am missing?

Thanks,

James
0
 

Author Comment

by:kpurchase
ID: 22842935
Let me just clear up the second step. I created a GPO with the loopback setting enabled and set to 'Replace' and the user configuration disabled.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 22843029
Your test account should *not* be in (or below) the TS OU.

OU "Terminalserver" --> GPO "Loopback", GPO "TSRestrictions"
  +-- TerminalServer
OU "Users"
  +-- TestUser
0
 

Author Comment

by:kpurchase
ID: 22843205
When I move TestUSer out of the TS OU the Group Policy is not applying on the Terminal Server and continues to apply on the normal desktop. If I do a gpresult on the Terminal server the Loopback GPO is being applied but the TSRestrictions is not listed. I have a group that I created called 'Untrusted' with the users that I want the policy applied to when they log into the TS. Where in AD should they be? Who should be in the listed in the Security Filtering?

Thanks.
0
 
LVL 84

Expert Comment

by:oBdA
ID: 22843922
As I said above: the user accounts may *not* be in or below the Terminalserver OU, otherwise the TS GPO will apply on desktop logons as well; other than that, it doesn't matter where the accounts are. In the security filtering for the TS User GPO, (only) the "Untrusted" group should be listed.
Have you restarted the TS after applying the Loopback GPO? In my experience, a simple gpupdate is not enough for the Loopback policy to apply.
0
 

Author Comment

by:kpurchase
ID: 22844461
I tried restarting the server but still no luck. I have moved all of the users out of the TS OU and now the policy is being applied on the TS and the normal desktop. I have only the Untrusted Group in the Security filtering for the TSRestrictions GP. Could the precendence of the two have something to do with it or the Enforced settings? Currently I have the TS GP first not enforced, then I have the TSRestrictions GP second enforced. Thanks for the help, I feel like we almost got it.

James
0
 
LVL 84

Expert Comment

by:oBdA
ID: 22844595
There should be no need to enforce one of these GPOs unless you've blocked inheritance somewhere along the way.
Please post a screenshot (or recreate it in ASCII in the "Code snippet" box) of the relevant OU structure (that is, the OU where your user accounts are, the OU where your desktop policies are linked, and the TS OU), and where you've linked which policies.
0
 

Author Comment

by:kpurchase
ID: 22844707
I finally got it to work. The problem was not the GP it was that the user was not a member of one of the required domain groups, it was blocking it's access on the normal desktop. Thanks for your help oBda.

James
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question