How to allow certain OU to access AD Users in Computers in Terminal Server 2008

etraxler
etraxler used Ask the Experts™
on
I have an OU with consultants and the security group in that OU with the consultants in it. I would like to create GPO that would allow consultants access to only AD Users and Computers so that they can only create accounts and nothing else.
Please advise.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consultant
Top Expert 2010
Commented:
Put them all into a security group, then delegate authority over the desired OU, by right clicking the OU and selecting delegate authority and running through the wizard.

Author

Commented:
They are in the security group already in that OU. Now I have a GPO for terminal server that does not allow users to access administrative console. So by default they are not able to access the admin console unless I exclude them from the policy. I will try your suggestions and let you know if it works.
Mike ThomasConsultant
Top Expert 2010

Commented:
OK then that is somewhat different than your first post, if that is the case the you need to create a security group and set the policy permissions to that group BUT exclude the people who you do not wish  the policy to apply to by not adding them to the group.

So for example the policy you have applied to the OU will most probably apply to the "Authenticated users" group create a policy called "TS Lock Down" and add all users except the the consultants, the policy would in effect apply to all users in the OU BUT due to the permissions would only be executed by the people in the "TS Lock Down" group and exclude everyone else.

Make sense?

How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
yes,. let me try that. thanks
Mike ThomasConsultant
Top Expert 2010

Commented:
Alos if the consultants use TS aswell as desktops GP Loopback processing might be useful.

Read here for more info and to give you some idea whether if it may be usefull in your situation.

http://kudratsapaev.blogspot.com/2009/07/loopback-processing-of-group-policy.html

Author

Commented:
Is there a way to create another policy just for consultants? The terminal server policy that I have gives everybody access to the terminal server with the lockdown permissions except the admins.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial