• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

Group Policy Authenticated Users Read & Apply

I currently have a Citrix environment with a Terminal Services Group Policy enabled  
(Windows Components/Terminal Services/Sessions).  This will disconnect any session that has been idle for an hour, and it works perfectly when I have it applied to 'authenticated users' (read and apply group policy); however when I remove 'apply' from authenticated users and add another security group with both read and apply, it doesn't work.  Do I HAVE to use only the 'authenticated users' group to effectively apply this group policy?  If so, how can I explicitly remove others (internal users and admins) such that it won't apply to them?  
Thanks in advance!
2 Solutions
Carl WebsterCommented:
Use a Deny to deny the admins and internal users (hopefully you have them in a security group).
You've probably configured that in the *Computer* Configuration section; these settings *have* to be applied to a computer account and can obviously not be filtered by user.
You need to configure the same setting in the *User* configuration section and apply it to user objects if you want to control this by user account.
Here's what you need to do:
Step I: Create or adjust your GPO, lets call it TS-GPO for now
1. On your working GPO, make sure it is configured on the User Configuration and not the Computer configuration.
2. On the Computer Configuration, turn on "Loop back processing"  Administrative Templates>System>Group Policy>User Group Policy Loopback processing mode

Step II: Deny TS-GPO for the users or groups
1. Create a group (ie, XYZ)
2. Add those system accounts to XYZ
3. Click on your TS-GPO
4. Click on the last tab "Delegation (assuming you are using GPMC)
5. Click on "Add" button on the bottom
6. Select the group XYZ
7. Click on the button in the lower right hand cornor "Advanced.."
8. Highlight the XYZ group
9. on the Deny column, check for "Apply Group Policy"

Now your XYZ group will be denied to the TS-GPO and users in the XYZ group will not be affected.

Step II: Link the TS-GPO to computers like your terminal servers.

Again, this GPO is linked to OU of computer but the configuration is affecting users who log on to the computer due to the loopback processing.
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

BTW, leave the Authenticated Users as default. Making change here usually result high maintenance.
Also, if you want to apply so that all user in the Domain users would not be affected by this GPO, just deny Domain Users instead of XYZ group as an example. But still, leave the Authenticated Users group as default.
PMGITAuthor Commented:
Okay, I think I've got it - oBdA and Americom I will split the points since you are both kind of saying the same thing (one with more detail).  I am a little confused about the loopback though; is this the only way to make it work because I am applying a "user policy"  to a group of computers?  Also, will this work with the Domain Admins group?  In other words, if I simply 'deny' apply group policy to domain admins; but allow 'read & apply' for authenticated users - the deny will take precedence and I will not get the policy because I am a domain admin?
you are correct, any group being denied of a GPO will not be affected by the GPO

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now