I'm having some issues in configuring group policy and am looking for some help and advice.
Before I get into it, I've configured the local GP on the TS to apply the restrictions I require as a temporary solution, but this then applies to the admin profiles which is annoying when administering it - Is there a way of denying the application of the LOCAL gp to the administrators group? I know this is possible if I do it not using the local policy but can't seem to find if I can do it on the local TS machine.
I need users to be able to log onto the TS (which is all fine) but not be able to shut down the pc, access to control panel and other restrictions similar. This only needs to apply when the users log on to the TS machine, not to the workstations, they need to be as normal. I've created a new OU and named it Terminal Services Computers, edited the policy to how I want. I've tried adding the TS computer to the apply to box, also tried creating a group and adding the Ts server as a member of this group, then putting the group in the GPO apply too section.
What's the best way of achieving this? I'm not as familiar with GPO's as I'd like to be so I'd appreciate thorough answers to help me understand it a little better. (i.e where I should be linking it too, what order to put it in etc).
Any help is really appreciated!