[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to set different GPO settings Per User and Per Server basis

Posted on 2009-05-17
2
Medium Priority
?
487 Views
Last Modified: 2013-11-21
FIRST - The question:

I am wandering is there a way to enable different sets of policies that will be applied to a different sets of users that are located in OU outside of locked OU, via Loopback Processing, depending on a TS they connect.


DIAGRAM:

Root
|
|-DC/TS group|
|                       |-DC/TS1
|                       |-DC/TS2
|
|
|-UserGroup1
|
|-UserGroup2


CASE DESCRIPTION:

I have the following situation:

Two servers:
  - Server1 DC/TS/2003
  - Server2 DC/TS/2003

Two groups of users:
  - Group1
  - Group2


  # Group2 access the local network only directly to Server2 using Terminal Services.
  # Group1 is a mixed group of users that both thrive on local network using thick clients, and connect to the Server1 outside of the company via Terminal Services. There are some users in Group1 that use thin clients for their daily work.
  # Both groups reside outside of child containers relative to DC/TS container
  # Both groups use Roaming User Profiles and Redirected Folders


Now, here is what I am thinking to do to have restrictive policies enabled when users connect to the TS and have loose ones when they work on their own computer:

  # Group1 is normal OU group with a limited set of settings
  # Group2 is special OU group that have strictly limited complete Windows UI

  # When a user from Group1 connects to a Server1 -> a Replace Loopback Processing applies to them so they get a completely new UI experience
  # When a user from Group2 connects to a Server2 -> no Loopback on them, as they have strict UI set in the first place

Now, how to make this also work in reverse mode? That is when User2 connects to Server1 and User1 to Server2?
I understand that I can have only one, universal locked down GPO that will Loopback to ALL users that connect, and not selectively.



I've tried to explain this well, tho If something is not clear, please just ask for more.
Thank you.
0
Comment
Question by:mrmut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 24406115
First off, a warning: you're aware that it is not recommended to use DCs as terminal servers, for security and stability reasons?
That said: the Loopback Processing policy is not applied to users, it's applied to computers. Once LP is applied to a computer, *user* policies applied to the *computer* object will be processed when a user logs on to this computer, even if the user object isn't in or below the computer OU.
You can use the regular security filtering to control application of a "looped back" user policy.
Create a new GPO "Loopback" in which you enable loopback processing in "Replace" mode, and link it to the Terminal Servers OU. Reboot the machines to apply the policy.
Create a *new* GPO "Group1Restrictions" or whatever, link it to the Terminal Servers OU. Remove the default Authenticated Users from the Scope > Security setting, and add Group1 instead. Configure the restrictions that should be imposed on Group1.
Create a *new* GPO "Group2Restrictions" or whatever, link it to the Terminal Servers OU. Remove the default Authenticated Users from the Scope > Security setting, and add Group2 instead. Configure the restrictions that should be imposed on Group1.

Loopback processing of Group Policy
http://support.microsoft.com/kb/231287

Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988(WS.10).aspx
0
 

Author Comment

by:mrmut
ID: 24406198
Thank you very much!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question