Solved

Terminal Server USer with Group policy vs. same user on laptop

Posted on 2009-07-01
4
371 Views
Last Modified: 2013-12-04
Hi,

Little question i have 2x 2008 server one AD and one TS.  The TS server is server2 and is also domain controller.  I have some users who are external and have a portable laptop and also work via the terminal server.  My users are all in a container where the GPO is applied to lock their desktop on the TS server and lock their start menu and redirect is.

PRoblem is when these users log on to their laptop their dekstop their is locked down also and i want it only to be locked down when this users logs on to the terminal server.  How can i fix this please?
0
Comment
Question by:PlusIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 125 total points
ID: 24765916
Four things nead to be done:
1. Enable user loopback processing on the computer
Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy lopoback processing mode

2. Link the lockdown GPOs with user settings to the OU containing computer object of terminal server instead of the OU with user objects. When loopback processing is enabled, user GPOs linked will also be applied in computer OUs. Conflicting settings that exist in both computer and user configuration will result as the setting in computer configuration (computer configuration has higher precedence than user configuration).

3. Make sure the users has a TS profile separated from their normal profile used on the client machines. This is either done on "Terminal Services Profile"-tab in Properties of each user account or through the following GPO setting.
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Set path for TS Roaming Profiles
-> Set the path to be the common folder containing the tsprofile folders.

4. To avoid that the lockdown GPOs are applied to administrators, configure security filtering by editing the security on GPOs with lockdown settings and restrict what group of users are allowed/denied the "Apply Group Policy" permissions.
0
 
LVL 10

Author Comment

by:PlusIT
ID: 24776784
thx i will try this asap and let you know if it worked
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24777763
Just clarifying that 1. nead to be done on terminal server and not the clients.
It should had been "Enable user loopback processing on the terminal server"
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question