Configuring GPO to apply user restrctions on TS

Posted on 2009-04-23
Last Modified: 2013-12-04
Hi Guys,

I'm having some issues in configuring group policy and am looking for some help and advice.

Before I get into it, I've configured the local GP on the TS to apply the restrictions I require as a temporary solution, but this then applies to the admin profiles which is annoying when administering it - Is there a way of denying the application of the LOCAL gp to the administrators group? I know this is possible if I do it not using the local policy but can't seem to find if I can do it on the local TS machine.

I need users to be able to log onto the TS (which is all fine) but not be able to shut down the pc, access to control panel and other restrictions similar. This only needs to apply when the users log on to the TS machine, not to the workstations, they need to be as normal. I've created a new OU and named it Terminal Services Computers, edited the policy to how I want. I've tried adding the TS computer to the apply to box, also tried creating a group and adding the Ts server as a member of this group, then putting the group in the GPO apply too section.

What's the best way of achieving this? I'm not as familiar with GPO's as I'd like to be so I'd appreciate thorough answers to help me understand it a little better. (i.e where I should be linking it too, what order to put it in etc).

Any help is really appreciated!

Question by:ConanUK
    LVL 2

    Author Comment

    I should also add that's I've tried the article below but it doesn't seem to be working - I'm not sure I'm doing it right?

    Expert Comment

    Hello. First make sure you install the 'Group Policy Management Console" on your domain controllers. This is easier to manage GPO's then the default MMC that comes with Windows.

    You will need to create an OU in Active Directory Services and add the Terminal servers to this group. You will create a 'lock-down' policy which will lock down settings (not be able to shut down the pc, access to control panel and other restrictions similar) for your users. Call this GPO Terminal users or something similar and configure settings. Link this GPO to the servers OU. Once you have done this, click on the properties for the GPO and click on the Security tab. Two things to do in here. 1- Make sure authenticated users or any group you want this policy to apply, are listed in there and make sure the 'read' and 'apply group policy' settings are checked. 2 - In there you can also click the deny 'Apply Group Policy right' to any group (domain admins, anygroup) that you don't want this policy to apply to. When a member of the domain admins group logs into the Terminal server, that Policy will not apply. Every other authenticated user in the domain will receive the lockdown settings. Al always, test and test again. Hope this helps.

    Expert Comment

    The Group Policy Management Console can be found here

    You may also want to check the 'Block Policy Inheritance' on the 'Group Policy' tab of the Terminal Server OU so that other GPO's, linked to the domain do not interfere with these GPO settings.

    Please let me know if you need further clarification or have further questions.
    LVL 2

    Author Comment

    Thanks for the response,

    Will this apply the lockdown settings only to the TS? I want the workstations left unchanged and uneffected by the lockdown settings.

    Also, what does the block inheritance selection do, or perhaps worded better where does it block the inheritence from?
    LVL 2

    Accepted Solution

    I tried the above suggestion and variations of but had no joy with it. I've managed to get it working by editting the gpo settings for the 'loopback' under computer configuration. All working fine now, thanks for any help given :)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This video discusses moving either the default database or any database to a new volume.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now