Solved

Where can I find Administrative Templates for Group Policy?

Posted on 2008-10-24
16
1,348 Views
Last Modified: 2012-08-13
I am trying to locate Administrative templates for Group Policy. I went to the Microsoft website listed below but they do not list any for Windows Server 2003 SP2. The specific templates I am looking for are the ones in which I can edit the Desktop, Control Panel, and Start Menu settings. I have these templates listed in the 'User Configuration' side of the Group Policy but I need them in the 'Computer Configuration' side. Is it not possible to control these using Computer Configuration? Thanks.

http://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
0
Comment
Question by:kpurchase
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 5

Expert Comment

by:gzarnick
ID: 22796621
0
 

Author Comment

by:kpurchase
ID: 22796850
All that site does is list the standard set of ADM files which we already have. I need to find the specific template that controls the desktop, control panel...etc.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797711
per MicroSoft (refers primarily to user interface)
-----
Administrative templates provide Group Policy setting information for the items that appear under Administrative Templates. Group Policy tools use Administrative template files to populate policy settings in the **user interface**. This allows administrators to manage registry-based policy settings.

however you can add Administrative Templates

Note Administrative Templates are available under either Computer or User Configuration. Select the configuration that is correct for your custom template.

See this article
http://support.microsoft.com/kb/816662


 
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797745
It allows you to add the ADMINISTRATIVE TEMPLATES
under either Users or ....computers
those templates will allow you to configure the desktop etc
both for users or...if you prefer based on computer
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 22797799
here is a print screen
GPO-Admin-Template.doc
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22803655
No, these settings can not be configured under Computer Configuration.
What is it *exactly* you want to do, that prevents you from using the User Configuration?
0
 

Author Comment

by:kpurchase
ID: 22813028
Thank you for clearing that up oBdA. We cannot configure this by the user because we only want the Group Policy to apply when the user logs into our Terminal Server. We don't want the Group Policy to apply when they log into there normal desktop. We can't change the stucture of the OU's becuse there are other GPO's being applied elsewhere. Do you have any ideas on how we could configure this?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 22815993
You need the "Loopback" feature for group policies.

1. Create a new OU, put your Terminal Servers in there. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration\Administrative Templates\Group Policies, "User group policy loopback processing mode". Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings. Do not use the "Loopback" GPO to configure other settings than the loopback feature (or only settings in "Computer Configuration")!
2. Now you can create additional GPO(s) for your *users* in this OU. Check "Disable Computer Configuration Settings" in those, you don't need them for user policies, and it speeds up GPO processing.  These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. For every TS GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. Remove the default "Authenticated Users" from the "Security Filtering" list, add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0
 

Author Comment

by:kpurchase
ID: 22842925
Here's what I did:

I created a TS OU and put the Terminal Server in it.
Created a GPO with the loopback setting and user configuration disabled.
Created a GPO with the user setting I want to apply when on the terminal server with Computer settings disabled.

I am having one slight problem. I am using the acoount 'TestUSer' to test the group policy. The policy is being appled when I log into the terminal server as TestUser, but it's also being applied when I log into a regular desktop. Is there something I am missing?

Thanks,

James
0
 

Author Comment

by:kpurchase
ID: 22842935
Let me just clear up the second step. I created a GPO with the loopback setting enabled and set to 'Replace' and the user configuration disabled.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22843029
Your test account should *not* be in (or below) the TS OU.

OU "Terminalserver" --> GPO "Loopback", GPO "TSRestrictions"
  +-- TerminalServer
OU "Users"
  +-- TestUser
0
 

Author Comment

by:kpurchase
ID: 22843205
When I move TestUSer out of the TS OU the Group Policy is not applying on the Terminal Server and continues to apply on the normal desktop. If I do a gpresult on the Terminal server the Loopback GPO is being applied but the TSRestrictions is not listed. I have a group that I created called 'Untrusted' with the users that I want the policy applied to when they log into the TS. Where in AD should they be? Who should be in the listed in the Security Filtering?

Thanks.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22843922
As I said above: the user accounts may *not* be in or below the Terminalserver OU, otherwise the TS GPO will apply on desktop logons as well; other than that, it doesn't matter where the accounts are. In the security filtering for the TS User GPO, (only) the "Untrusted" group should be listed.
Have you restarted the TS after applying the Loopback GPO? In my experience, a simple gpupdate is not enough for the Loopback policy to apply.
0
 

Author Comment

by:kpurchase
ID: 22844461
I tried restarting the server but still no luck. I have moved all of the users out of the TS OU and now the policy is being applied on the TS and the normal desktop. I have only the Untrusted Group in the Security filtering for the TSRestrictions GP. Could the precendence of the two have something to do with it or the Enforced settings? Currently I have the TS GP first not enforced, then I have the TSRestrictions GP second enforced. Thanks for the help, I feel like we almost got it.

James
0
 
LVL 83

Expert Comment

by:oBdA
ID: 22844595
There should be no need to enforce one of these GPOs unless you've blocked inheritance somewhere along the way.
Please post a screenshot (or recreate it in ASCII in the "Code snippet" box) of the relevant OU structure (that is, the OU where your user accounts are, the OU where your desktop policies are linked, and the TS OU), and where you've linked which policies.
0
 

Author Comment

by:kpurchase
ID: 22844707
I finally got it to work. The problem was not the GP it was that the user was not a member of one of the required domain groups, it was blocking it's access on the normal desktop. Thanks for your help oBda.

James
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question