Link to home
Start Free TrialLog in
Avatar of PMGIT
PMGIT

asked on

Group Policy Authenticated Users Read & Apply

Hi,
I currently have a Citrix environment with a Terminal Services Group Policy enabled  
(Windows Components/Terminal Services/Sessions).  This will disconnect any session that has been idle for an hour, and it works perfectly when I have it applied to 'authenticated users' (read and apply group policy); however when I remove 'apply' from authenticated users and add another security group with both read and apply, it doesn't work.  Do I HAVE to use only the 'authenticated users' group to effectively apply this group policy?  If so, how can I explicitly remove others (internal users and admins) such that it won't apply to them?  
Thanks in advance!
Avatar of Carl Webster
Carl Webster
Flag of United States of America image

Use a Deny to deny the admins and internal users (hopefully you have them in a security group).
SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
BTW, leave the Authenticated Users as default. Making change here usually result high maintenance.
Also, if you want to apply so that all user in the Domain users would not be affected by this GPO, just deny Domain Users instead of XYZ group as an example. But still, leave the Authenticated Users group as default.
Avatar of PMGIT
PMGIT

ASKER

Okay, I think I've got it - oBdA and Americom I will split the points since you are both kind of saying the same thing (one with more detail).  I am a little confused about the loopback though; is this the only way to make it work because I am applying a "user policy"  to a group of computers?  Also, will this work with the Domain Admins group?  In other words, if I simply 'deny' apply group policy to domain admins; but allow 'read & apply' for authenticated users - the deny will take precedence and I will not get the policy because I am a domain admin?
Thanks!
you are correct, any group being denied of a GPO will not be affected by the GPO