Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

Setting up a Windows 2008 64bit Terminal Services Server

We are creating a newVM 2008 64bit TS Server.  I create a new OU and 3 new GPO's.  Top GPO Computer Policy (Only Computer Settings set by this GPO) 2nd GPO is Admin User Settings (This is set for only for Domain Admins to administrat the box - I have no settings set in this GPO as I want us to have full access to everything) 3rd GPO is for all Domain Users (The is the restrict GPO were I lock down the box for all Domain Users but only set User Settings no Computer restrictions).  GPO Precedence is Computer GPO, Admin GPO & then the Domain Users GPO.  The Computer and Domain Users GPO are working but the Admin GPO is not working.  How do people typically administor the Server?  Am I setting up something wrong. I just want to be able to administor the box like I would any other server I have.  I'm going to try to set some setting in the Admin GPO opposite of what I have in the Domain Users GPO to see if I that works but I wanted to get other answers too.  What does Linked Enable and Enforce do in a GPO?  Thanks
0
ocontoco
Asked:
ocontoco
  • 2
  • 2
1 Solution
 
ocontocoAuthor Commented:
One other site note I did Block Inheritance on the OU and I have Loopback Enabled (Replace Mode) in the Computer GPO.  
0
 
Justin OwensITIL Problem ManagerCommented:
Explanation of Linked verses Enforced:

A "link" means that a Group Policy object is directly connected and applied to a OU. You can link/"connect" a given Group Policy to many OUs by just creating a link. You don't have to create a Group Policy for every OU you want to have it apply to. So the link is just the "connection" between a GP and a OU.
 
 "Enforced" means that settings in the Group Policy which is set to "Enforced" cannot be overwritten by other Group Policies. You remember, the policy application goes like L-S-D-OU-SubOU, (Local, Site, Domain, OU, SubOUs), where "last writing policy wins the setting" applies.  Enforce simply ensures that a policy, no matter where it is set, cannot get overwritten.

Source: http://www.mombu.com/microsoft/windows-group-policy/t-enforced-vs-link-enabled-778248.html
General information on managing GPO inheritance:

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx

Overview of Loopback Processing:

http://technet.microsoft.com/en-us/library/cc782810%28WS.10%29.aspx

Honestly, without knowing what is in your GPOs, it would be hard to tell you why the Admin is not being enforced.  It may be better to use a security group to lock the "lock down" GPO to just that group and make sure your admin accounts are not a part of it (a process called "security filtering").  For information on how to lock a GPO to a security group, check these:

http://technet.microsoft.com/en-us/library/cc781988%28WS.10%29.aspx
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

Cheers,

Justin


0
 
ocontocoAuthor Commented:
I actually got this working now.  I disabled all the settings in the Admin GPO that I enabled in the Users GPO and now I'm able to manage the server lIke I wanted. Thanks!
0
 
Justin OwensITIL Problem ManagerCommented:
That is a workable option, but honestly having competing GPOs really isn't your best answer.  I am glad you got it working, regardless.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now