Group Policy Authenticated Users Read & Apply

Posted on 2009-02-23
Last Modified: 2013-11-21
I currently have a Citrix environment with a Terminal Services Group Policy enabled  
(Windows Components/Terminal Services/Sessions).  This will disconnect any session that has been idle for an hour, and it works perfectly when I have it applied to 'authenticated users' (read and apply group policy); however when I remove 'apply' from authenticated users and add another security group with both read and apply, it doesn't work.  Do I HAVE to use only the 'authenticated users' group to effectively apply this group policy?  If so, how can I explicitly remove others (internal users and admins) such that it won't apply to them?  
Thanks in advance!
Question by:PMGIT
    LVL 36

    Expert Comment

    by:Carl Webster
    Use a Deny to deny the admins and internal users (hopefully you have them in a security group).
    LVL 82

    Assisted Solution

    You've probably configured that in the *Computer* Configuration section; these settings *have* to be applied to a computer account and can obviously not be filtered by user.
    You need to configure the same setting in the *User* configuration section and apply it to user objects if you want to control this by user account.
    LVL 18

    Accepted Solution

    Here's what you need to do:
    Step I: Create or adjust your GPO, lets call it TS-GPO for now
    1. On your working GPO, make sure it is configured on the User Configuration and not the Computer configuration.
    2. On the Computer Configuration, turn on "Loop back processing"  Administrative Templates>System>Group Policy>User Group Policy Loopback processing mode

    Step II: Deny TS-GPO for the users or groups
    1. Create a group (ie, XYZ)
    2. Add those system accounts to XYZ
    3. Click on your TS-GPO
    4. Click on the last tab "Delegation (assuming you are using GPMC)
    5. Click on "Add" button on the bottom
    6. Select the group XYZ
    7. Click on the button in the lower right hand cornor "Advanced.."
    8. Highlight the XYZ group
    9. on the Deny column, check for "Apply Group Policy"

    Now your XYZ group will be denied to the TS-GPO and users in the XYZ group will not be affected.

    Step II: Link the TS-GPO to computers like your terminal servers.

    Again, this GPO is linked to OU of computer but the configuration is affecting users who log on to the computer due to the loopback processing.
    LVL 18

    Expert Comment

    BTW, leave the Authenticated Users as default. Making change here usually result high maintenance.
    LVL 18

    Expert Comment

    Also, if you want to apply so that all user in the Domain users would not be affected by this GPO, just deny Domain Users instead of XYZ group as an example. But still, leave the Authenticated Users group as default.

    Author Comment

    Okay, I think I've got it - oBdA and Americom I will split the points since you are both kind of saying the same thing (one with more detail).  I am a little confused about the loopback though; is this the only way to make it work because I am applying a "user policy"  to a group of computers?  Also, will this work with the Domain Admins group?  In other words, if I simply 'deny' apply group policy to domain admins; but allow 'read & apply' for authenticated users - the deny will take precedence and I will not get the policy because I am a domain admin?
    LVL 18

    Expert Comment

    you are correct, any group being denied of a GPO will not be affected by the GPO

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now