Solved

GPO Policy creation under 2008R2

Posted on 2010-11-30
12
541 Views
Last Modified: 2012-05-10
Good Day,

Here is my problem.

We upgraded from w2k Domain to a 2008r2 domain, I got my 2008 TS server running and so far so good, I would like to start on a policy to lock certain parts of the TS server out from the users.

When i go into AD and choose users and computers and make a new OU for this group I cannot see the policy tab as we had in W2K. After searching around I cannot the correct info I need to start this.

can anyone get me started on this?
0
Comment
Question by:BMI-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
12 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34239150
Try using the Administrative Tools > Group Policy Management.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239184
Also, take some time exploring the options in GP editor, since you'll find many new options especially when Terminal Services (or Remote Desktop Services as they are named in R2) are concerned.
0
 

Author Comment

by:BMI-IT
ID: 34239546
OK thanks, I created a OU called TS Users, I'm guessing I launch the GP Manager on the domain controller and create the new policy under the domain Then assign it to the TS Users OU I created?

Thanks
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 7

Expert Comment

by:tstritof
ID: 34239677
Are these users your normal domain users or do they only log on to terminal server?

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239702
BTW, to answer the question you create GPOs independently in GP management and then link it to OUs you want. You can even link it to a domain itself.

Note however that it's the terminal server (as far as I understood) not the user you want to link this setting to - am I right?
0
 

Author Comment

by:BMI-IT
ID: 34239804
We have both types of users, some in the office and others in a remote location, the office users log in to TS when traveling, the remote location users are in another facility but use the ts

I'm looking to lock out the control panel, admin tool and other system apps from the users when they login to the TS server. So far I am having zero success, was a lot easier under W2K :)
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240022
OK, This is how it's done:

1) Create an OU and call it "Teminal Servers" (or some other descriptive name)
2) Place your terminal server in that OU through AD
3) In GP management create a new GPO and call it something like "TS User Access Lockdown" (do not modify existing GPOs)
4) Disable processing of computer rules for that GPO (this is only user policy)
5) Link the "TS User Access Lockdown" policy to the "Terminal Servers" OU
6) Edit the "TS User Access Lockdown" GPO and set all user settings you need that should be applied to users logging onto terminal server
7) Create another new GPO and call it something like "Terminal Servers"
8) Disable processing of user rules for that GPO (this is only computer policy)
9) Link the "Terminal Servers" policy to the "Terminal Servers" OU
10) Edit the "Terminal Servers" GPO and set any RDP related settings you need (device mapping...)
11) In this GPO ("Terminal Servers") enable loopback policy processing . This ensures that any normal GP rules applied to users are overriden by user rules in GPOs linked to the "Terminal Servers" OU

To enable loopback processing enable the User Group Policy loopback processing mode policy and set it to Replace for the "Terminal Servers" GPO. This policy is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy container.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240057
Of course, before you can test if policies are applied you'll have to log on to RD server as administrator and run gpupdate /force in command prompt (or restart the server but the first option is less painfull).

Regards,
Tomislav
0
 

Author Comment

by:BMI-IT
ID: 34240516
ok that's great!.. I followed it to the letter and so far so good.. however I blocked the control panel for the users but its also blocking for the admin account.
0
 
LVL 7

Accepted Solution

by:
tstritof earned 50 total points
ID: 34240671
Modify "Security Filter" for "TS User Access Lockdown" GPO.

1) Go to AD Users and Computers
2) Create custom security group in AD "Terminal Servers"
3) Create custom security group in AD "TS Users"
4) Assign your RDS the membership in "Terminal Server" security group
5) Assign your remote users (or groups of users) that should be locked down to "TS Users" security group
6) Go to GP management
7) Click the GPO "TS User Access Lockdown"
8) In Security Filtering remove "Authenticated users" and add "Terminal Servers" and "TS Users"

Rerun gpupdate /force on your RD server. Your admin should be OK if he isn't linked in some way to "TS users" security group.

And BTW, please start off with a more generous point budget next time :)

Regards,
Tomislav

0
 

Author Comment

by:BMI-IT
ID: 34241222
tstritof,

Thank you so much for your help, I too wish i had assigned more points but I wasn't expecting such a detailed walkthro..

thank you again
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241947
No problem and good luck!
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question