Solved

GPO Policy creation under 2008R2

Posted on 2010-11-30
12
534 Views
Last Modified: 2012-05-10
Good Day,

Here is my problem.

We upgraded from w2k Domain to a 2008r2 domain, I got my 2008 TS server running and so far so good, I would like to start on a policy to lock certain parts of the TS server out from the users.

When i go into AD and choose users and computers and make a new OU for this group I cannot see the policy tab as we had in W2K. After searching around I cannot the correct info I need to start this.

can anyone get me started on this?
0
Comment
Question by:BMI-IT
  • 8
  • 4
12 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34239150
Try using the Administrative Tools > Group Policy Management.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239184
Also, take some time exploring the options in GP editor, since you'll find many new options especially when Terminal Services (or Remote Desktop Services as they are named in R2) are concerned.
0
 

Author Comment

by:BMI-IT
ID: 34239546
OK thanks, I created a OU called TS Users, I'm guessing I launch the GP Manager on the domain controller and create the new policy under the domain Then assign it to the TS Users OU I created?

Thanks
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239677
Are these users your normal domain users or do they only log on to terminal server?

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239702
BTW, to answer the question you create GPOs independently in GP management and then link it to OUs you want. You can even link it to a domain itself.

Note however that it's the terminal server (as far as I understood) not the user you want to link this setting to - am I right?
0
 

Author Comment

by:BMI-IT
ID: 34239804
We have both types of users, some in the office and others in a remote location, the office users log in to TS when traveling, the remote location users are in another facility but use the ts

I'm looking to lock out the control panel, admin tool and other system apps from the users when they login to the TS server. So far I am having zero success, was a lot easier under W2K :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:tstritof
ID: 34240022
OK, This is how it's done:

1) Create an OU and call it "Teminal Servers" (or some other descriptive name)
2) Place your terminal server in that OU through AD
3) In GP management create a new GPO and call it something like "TS User Access Lockdown" (do not modify existing GPOs)
4) Disable processing of computer rules for that GPO (this is only user policy)
5) Link the "TS User Access Lockdown" policy to the "Terminal Servers" OU
6) Edit the "TS User Access Lockdown" GPO and set all user settings you need that should be applied to users logging onto terminal server
7) Create another new GPO and call it something like "Terminal Servers"
8) Disable processing of user rules for that GPO (this is only computer policy)
9) Link the "Terminal Servers" policy to the "Terminal Servers" OU
10) Edit the "Terminal Servers" GPO and set any RDP related settings you need (device mapping...)
11) In this GPO ("Terminal Servers") enable loopback policy processing . This ensures that any normal GP rules applied to users are overriden by user rules in GPOs linked to the "Terminal Servers" OU

To enable loopback processing enable the User Group Policy loopback processing mode policy and set it to Replace for the "Terminal Servers" GPO. This policy is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy container.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240057
Of course, before you can test if policies are applied you'll have to log on to RD server as administrator and run gpupdate /force in command prompt (or restart the server but the first option is less painfull).

Regards,
Tomislav
0
 

Author Comment

by:BMI-IT
ID: 34240516
ok that's great!.. I followed it to the letter and so far so good.. however I blocked the control panel for the users but its also blocking for the admin account.
0
 
LVL 7

Accepted Solution

by:
tstritof earned 50 total points
ID: 34240671
Modify "Security Filter" for "TS User Access Lockdown" GPO.

1) Go to AD Users and Computers
2) Create custom security group in AD "Terminal Servers"
3) Create custom security group in AD "TS Users"
4) Assign your RDS the membership in "Terminal Server" security group
5) Assign your remote users (or groups of users) that should be locked down to "TS Users" security group
6) Go to GP management
7) Click the GPO "TS User Access Lockdown"
8) In Security Filtering remove "Authenticated users" and add "Terminal Servers" and "TS Users"

Rerun gpupdate /force on your RD server. Your admin should be OK if he isn't linked in some way to "TS users" security group.

And BTW, please start off with a more generous point budget next time :)

Regards,
Tomislav

0
 

Author Comment

by:BMI-IT
ID: 34241222
tstritof,

Thank you so much for your help, I too wish i had assigned more points but I wasn't expecting such a detailed walkthro..

thank you again
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241947
No problem and good luck!
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now