Solved

Setting up a Windows 2008 64bit Terminal Services Server

Posted on 2010-09-13
4
342 Views
Last Modified: 2013-11-21
We are creating a newVM 2008 64bit TS Server.  I create a new OU and 3 new GPO's.  Top GPO Computer Policy (Only Computer Settings set by this GPO) 2nd GPO is Admin User Settings (This is set for only for Domain Admins to administrat the box - I have no settings set in this GPO as I want us to have full access to everything) 3rd GPO is for all Domain Users (The is the restrict GPO were I lock down the box for all Domain Users but only set User Settings no Computer restrictions).  GPO Precedence is Computer GPO, Admin GPO & then the Domain Users GPO.  The Computer and Domain Users GPO are working but the Admin GPO is not working.  How do people typically administor the Server?  Am I setting up something wrong. I just want to be able to administor the box like I would any other server I have.  I'm going to try to set some setting in the Admin GPO opposite of what I have in the Domain Users GPO to see if I that works but I wanted to get other answers too.  What does Linked Enable and Enforce do in a GPO?  Thanks
0
Comment
Question by:ocontoco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:ocontoco
ID: 33661438
One other site note I did Block Inheritance on the OU and I have Loopback Enabled (Replace Mode) in the Computer GPO.  
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 125 total points
ID: 33662248
Explanation of Linked verses Enforced:

A "link" means that a Group Policy object is directly connected and applied to a OU. You can link/"connect" a given Group Policy to many OUs by just creating a link. You don't have to create a Group Policy for every OU you want to have it apply to. So the link is just the "connection" between a GP and a OU.
 
 "Enforced" means that settings in the Group Policy which is set to "Enforced" cannot be overwritten by other Group Policies. You remember, the policy application goes like L-S-D-OU-SubOU, (Local, Site, Domain, OU, SubOUs), where "last writing policy wins the setting" applies.  Enforce simply ensures that a policy, no matter where it is set, cannot get overwritten.

Source: http://www.mombu.com/microsoft/windows-group-policy/t-enforced-vs-link-enabled-778248.html
General information on managing GPO inheritance:

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx

Overview of Loopback Processing:

http://technet.microsoft.com/en-us/library/cc782810%28WS.10%29.aspx

Honestly, without knowing what is in your GPOs, it would be hard to tell you why the Admin is not being enforced.  It may be better to use a security group to lock the "lock down" GPO to just that group and make sure your admin accounts are not a part of it (a process called "security filtering").  For information on how to lock a GPO to a security group, check these:

http://technet.microsoft.com/en-us/library/cc781988%28WS.10%29.aspx
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Cheers,

Justin


0
 

Author Comment

by:ocontoco
ID: 33662565
I actually got this working now.  I disabled all the settings in the Admin GPO that I enabled in the Users GPO and now I'm able to manage the server lIke I wanted. Thanks!
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 33662616
That is a workable option, but honestly having competing GPOs really isn't your best answer.  I am glad you got it working, regardless.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question