Terminal Server USer with Group policy vs. same user on laptop

Hi,

Little question i have 2x 2008 server one AD and one TS.  The TS server is server2 and is also domain controller.  I have some users who are external and have a portable laptop and also work via the terminal server.  My users are all in a container where the GPO is applied to lock their desktop on the TS server and lock their start menu and redirect is.

PRoblem is when these users log on to their laptop their dekstop their is locked down also and i want it only to be locked down when this users logs on to the terminal server.  How can i fix this please?
LVL 10
PlusITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henrik JohanssonSystems engineerCommented:
Four things nead to be done:
1. Enable user loopback processing on the computer
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy lopoback processing mode

2. Link the lockdown GPOs with user settings to the OU containing computer object of terminal server instead of the OU with user objects. When loopback processing is enabled, user GPOs linked will also be applied in computer OUs. Conflicting settings that exist in both computer and user configuration will result as the setting in computer configuration (computer configuration has higher precedence than user configuration).

3. Make sure the users has a TS profile separated from their normal profile used on the client machines. This is either done on "Terminal Services Profile"-tab in Properties of each user account or through the following GPO setting.
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Set path for TS Roaming Profiles
-> Set the path to be the common folder containing the tsprofile folders.

4. To avoid that the lockdown GPOs are applied to administrators, configure security filtering by editing the security on GPOs with lockdown settings and restrict what group of users are allowed/denied the "Apply Group Policy" permissions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlusITAuthor Commented:
thx i will try this asap and let you know if it worked
0
Henrik JohanssonSystems engineerCommented:
Just clarifying that 1. nead to be done on terminal server and not the clients.
It should had been "Enable user loopback processing on the terminal server"
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.