Solved

Setting up a Windows 2008 64bit Terminal Services Server

Posted on 2010-09-13
4
337 Views
Last Modified: 2013-11-21
We are creating a newVM 2008 64bit TS Server.  I create a new OU and 3 new GPO's.  Top GPO Computer Policy (Only Computer Settings set by this GPO) 2nd GPO is Admin User Settings (This is set for only for Domain Admins to administrat the box - I have no settings set in this GPO as I want us to have full access to everything) 3rd GPO is for all Domain Users (The is the restrict GPO were I lock down the box for all Domain Users but only set User Settings no Computer restrictions).  GPO Precedence is Computer GPO, Admin GPO & then the Domain Users GPO.  The Computer and Domain Users GPO are working but the Admin GPO is not working.  How do people typically administor the Server?  Am I setting up something wrong. I just want to be able to administor the box like I would any other server I have.  I'm going to try to set some setting in the Admin GPO opposite of what I have in the Domain Users GPO to see if I that works but I wanted to get other answers too.  What does Linked Enable and Enforce do in a GPO?  Thanks
0
Comment
Question by:ocontoco
  • 2
  • 2
4 Comments
 

Author Comment

by:ocontoco
ID: 33661438
One other site note I did Block Inheritance on the OU and I have Loopback Enabled (Replace Mode) in the Computer GPO.  
0
 
LVL 31

Accepted Solution

by:
DrUltima earned 125 total points
ID: 33662248
Explanation of Linked verses Enforced:

A "link" means that a Group Policy object is directly connected and applied to a OU. You can link/"connect" a given Group Policy to many OUs by just creating a link. You don't have to create a Group Policy for every OU you want to have it apply to. So the link is just the "connection" between a GP and a OU.
 
 "Enforced" means that settings in the Group Policy which is set to "Enforced" cannot be overwritten by other Group Policies. You remember, the policy application goes like L-S-D-OU-SubOU, (Local, Site, Domain, OU, SubOUs), where "last writing policy wins the setting" applies.  Enforce simply ensures that a policy, no matter where it is set, cannot get overwritten.

Source: http://www.mombu.com/microsoft/windows-group-policy/t-enforced-vs-link-enabled-778248.html
General information on managing GPO inheritance:

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx

Overview of Loopback Processing:

http://technet.microsoft.com/en-us/library/cc782810%28WS.10%29.aspx

Honestly, without knowing what is in your GPOs, it would be hard to tell you why the Admin is not being enforced.  It may be better to use a security group to lock the "lock down" GPO to just that group and make sure your admin accounts are not a part of it (a process called "security filtering").  For information on how to lock a GPO to a security group, check these:

http://technet.microsoft.com/en-us/library/cc781988%28WS.10%29.aspx
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Cheers,

Justin


0
 

Author Comment

by:ocontoco
ID: 33662565
I actually got this working now.  I disabled all the settings in the Admin GPO that I enabled in the Users GPO and now I'm able to manage the server lIke I wanted. Thanks!
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 33662616
That is a workable option, but honestly having competing GPOs really isn't your best answer.  I am glad you got it working, regardless.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now