Configuring GPO to apply user restrctions on TS

Hi Guys,

I'm having some issues in configuring group policy and am looking for some help and advice.

Before I get into it, I've configured the local GP on the TS to apply the restrictions I require as a temporary solution, but this then applies to the admin profiles which is annoying when administering it - Is there a way of denying the application of the LOCAL gp to the administrators group? I know this is possible if I do it not using the local policy but can't seem to find if I can do it on the local TS machine.

I need users to be able to log onto the TS (which is all fine) but not be able to shut down the pc, access to control panel and other restrictions similar. This only needs to apply when the users log on to the TS machine, not to the workstations, they need to be as normal. I've created a new OU and named it Terminal Services Computers, edited the policy to how I want. I've tried adding the TS computer to the apply to box, also tried creating a group and adding the Ts server as a member of this group, then putting the group in the GPO apply too section.

What's the best way of achieving this? I'm not as familiar with GPO's as I'd like to be so I'd appreciate thorough answers to help me understand it a little better. (i.e where I should be linking it too, what order to put it in etc).

Any help is really appreciated!

Who is Participating?
ConanUKConnect With a Mentor Author Commented:
I tried the above suggestion and variations of but had no joy with it. I've managed to get it working by editting the gpo settings for the 'loopback' under computer configuration. All working fine now, thanks for any help given :)
ConanUKAuthor Commented:
I should also add that's I've tried the article below but it doesn't seem to be working - I'm not sure I'm doing it right?
Hello. First make sure you install the 'Group Policy Management Console" on your domain controllers. This is easier to manage GPO's then the default MMC that comes with Windows.

You will need to create an OU in Active Directory Services and add the Terminal servers to this group. You will create a 'lock-down' policy which will lock down settings (not be able to shut down the pc, access to control panel and other restrictions similar) for your users. Call this GPO Terminal users or something similar and configure settings. Link this GPO to the servers OU. Once you have done this, click on the properties for the GPO and click on the Security tab. Two things to do in here. 1- Make sure authenticated users or any group you want this policy to apply, are listed in there and make sure the 'read' and 'apply group policy' settings are checked. 2 - In there you can also click the deny 'Apply Group Policy right' to any group (domain admins, anygroup) that you don't want this policy to apply to. When a member of the domain admins group logs into the Terminal server, that Policy will not apply. Every other authenticated user in the domain will receive the lockdown settings. Al always, test and test again. Hope this helps.
The Group Policy Management Console can be found here

You may also want to check the 'Block Policy Inheritance' on the 'Group Policy' tab of the Terminal Server OU so that other GPO's, linked to the domain do not interfere with these GPO settings.

Please let me know if you need further clarification or have further questions.
ConanUKAuthor Commented:
Thanks for the response,

Will this apply the lockdown settings only to the TS? I want the workstations left unchanged and uneffected by the lockdown settings.

Also, what does the block inheritance selection do, or perhaps worded better where does it block the inheritence from?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.