PMGIT
asked on
Group Policy Authenticated Users Read & Apply
Hi,
I currently have a Citrix environment with a Terminal Services Group Policy enabled
(Windows Components/Terminal Services/Sessions). This will disconnect any session that has been idle for an hour, and it works perfectly when I have it applied to 'authenticated users' (read and apply group policy); however when I remove 'apply' from authenticated users and add another security group with both read and apply, it doesn't work. Do I HAVE to use only the 'authenticated users' group to effectively apply this group policy? If so, how can I explicitly remove others (internal users and admins) such that it won't apply to them?
Thanks in advance!
I currently have a Citrix environment with a Terminal Services Group Policy enabled
(Windows Components/Terminal Services/Sessions). This will disconnect any session that has been idle for an hour, and it works perfectly when I have it applied to 'authenticated users' (read and apply group policy); however when I remove 'apply' from authenticated users and add another security group with both read and apply, it doesn't work. Do I HAVE to use only the 'authenticated users' group to effectively apply this group policy? If so, how can I explicitly remove others (internal users and admins) such that it won't apply to them?
Thanks in advance!
Use a Deny to deny the admins and internal users (hopefully you have them in a security group).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, leave the Authenticated Users as default. Making change here usually result high maintenance.
Also, if you want to apply so that all user in the Domain users would not be affected by this GPO, just deny Domain Users instead of XYZ group as an example. But still, leave the Authenticated Users group as default.
ASKER
Okay, I think I've got it - oBdA and Americom I will split the points since you are both kind of saying the same thing (one with more detail). I am a little confused about the loopback though; is this the only way to make it work because I am applying a "user policy" to a group of computers? Also, will this work with the Domain Admins group? In other words, if I simply 'deny' apply group policy to domain admins; but allow 'read & apply' for authenticated users - the deny will take precedence and I will not get the policy because I am a domain admin?
Thanks!
Thanks!
you are correct, any group being denied of a GPO will not be affected by the GPO