Solved

Setting up a Windows 2008 64bit Terminal Services Server

Posted on 2010-09-13
4
343 Views
Last Modified: 2013-11-21
We are creating a newVM 2008 64bit TS Server.  I create a new OU and 3 new GPO's.  Top GPO Computer Policy (Only Computer Settings set by this GPO) 2nd GPO is Admin User Settings (This is set for only for Domain Admins to administrat the box - I have no settings set in this GPO as I want us to have full access to everything) 3rd GPO is for all Domain Users (The is the restrict GPO were I lock down the box for all Domain Users but only set User Settings no Computer restrictions).  GPO Precedence is Computer GPO, Admin GPO & then the Domain Users GPO.  The Computer and Domain Users GPO are working but the Admin GPO is not working.  How do people typically administor the Server?  Am I setting up something wrong. I just want to be able to administor the box like I would any other server I have.  I'm going to try to set some setting in the Admin GPO opposite of what I have in the Domain Users GPO to see if I that works but I wanted to get other answers too.  What does Linked Enable and Enforce do in a GPO?  Thanks
0
Comment
Question by:ocontoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:ocontoco
ID: 33661438
One other site note I did Block Inheritance on the OU and I have Loopback Enabled (Replace Mode) in the Computer GPO.  
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 125 total points
ID: 33662248
Explanation of Linked verses Enforced:

A "link" means that a Group Policy object is directly connected and applied to a OU. You can link/"connect" a given Group Policy to many OUs by just creating a link. You don't have to create a Group Policy for every OU you want to have it apply to. So the link is just the "connection" between a GP and a OU.
 
 "Enforced" means that settings in the Group Policy which is set to "Enforced" cannot be overwritten by other Group Policies. You remember, the policy application goes like L-S-D-OU-SubOU, (Local, Site, Domain, OU, SubOUs), where "last writing policy wins the setting" applies.  Enforce simply ensures that a policy, no matter where it is set, cannot get overwritten.

Source: http://www.mombu.com/microsoft/windows-group-policy/t-enforced-vs-link-enabled-778248.html
General information on managing GPO inheritance:

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx

Overview of Loopback Processing:

http://technet.microsoft.com/en-us/library/cc782810%28WS.10%29.aspx

Honestly, without knowing what is in your GPOs, it would be hard to tell you why the Admin is not being enforced.  It may be better to use a security group to lock the "lock down" GPO to just that group and make sure your admin accounts are not a part of it (a process called "security filtering").  For information on how to lock a GPO to a security group, check these:

http://technet.microsoft.com/en-us/library/cc781988%28WS.10%29.aspx
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Cheers,

Justin


0
 

Author Comment

by:ocontoco
ID: 33662565
I actually got this working now.  I disabled all the settings in the Admin GPO that I enabled in the Users GPO and now I'm able to manage the server lIke I wanted. Thanks!
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33662616
That is a workable option, but honestly having competing GPOs really isn't your best answer.  I am glad you got it working, regardless.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question