Solved

GPO Policy creation under 2008R2

Posted on 2010-11-30
12
537 Views
Last Modified: 2012-05-10
Good Day,

Here is my problem.

We upgraded from w2k Domain to a 2008r2 domain, I got my 2008 TS server running and so far so good, I would like to start on a policy to lock certain parts of the TS server out from the users.

When i go into AD and choose users and computers and make a new OU for this group I cannot see the policy tab as we had in W2K. After searching around I cannot the correct info I need to start this.

can anyone get me started on this?
0
Comment
Question by:BMI-IT
  • 8
  • 4
12 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34239150
Try using the Administrative Tools > Group Policy Management.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239184
Also, take some time exploring the options in GP editor, since you'll find many new options especially when Terminal Services (or Remote Desktop Services as they are named in R2) are concerned.
0
 

Author Comment

by:BMI-IT
ID: 34239546
OK thanks, I created a OU called TS Users, I'm guessing I launch the GP Manager on the domain controller and create the new policy under the domain Then assign it to the TS Users OU I created?

Thanks
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 7

Expert Comment

by:tstritof
ID: 34239677
Are these users your normal domain users or do they only log on to terminal server?

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239702
BTW, to answer the question you create GPOs independently in GP management and then link it to OUs you want. You can even link it to a domain itself.

Note however that it's the terminal server (as far as I understood) not the user you want to link this setting to - am I right?
0
 

Author Comment

by:BMI-IT
ID: 34239804
We have both types of users, some in the office and others in a remote location, the office users log in to TS when traveling, the remote location users are in another facility but use the ts

I'm looking to lock out the control panel, admin tool and other system apps from the users when they login to the TS server. So far I am having zero success, was a lot easier under W2K :)
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240022
OK, This is how it's done:

1) Create an OU and call it "Teminal Servers" (or some other descriptive name)
2) Place your terminal server in that OU through AD
3) In GP management create a new GPO and call it something like "TS User Access Lockdown" (do not modify existing GPOs)
4) Disable processing of computer rules for that GPO (this is only user policy)
5) Link the "TS User Access Lockdown" policy to the "Terminal Servers" OU
6) Edit the "TS User Access Lockdown" GPO and set all user settings you need that should be applied to users logging onto terminal server
7) Create another new GPO and call it something like "Terminal Servers"
8) Disable processing of user rules for that GPO (this is only computer policy)
9) Link the "Terminal Servers" policy to the "Terminal Servers" OU
10) Edit the "Terminal Servers" GPO and set any RDP related settings you need (device mapping...)
11) In this GPO ("Terminal Servers") enable loopback policy processing . This ensures that any normal GP rules applied to users are overriden by user rules in GPOs linked to the "Terminal Servers" OU

To enable loopback processing enable the User Group Policy loopback processing mode policy and set it to Replace for the "Terminal Servers" GPO. This policy is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy container.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240057
Of course, before you can test if policies are applied you'll have to log on to RD server as administrator and run gpupdate /force in command prompt (or restart the server but the first option is less painfull).

Regards,
Tomislav
0
 

Author Comment

by:BMI-IT
ID: 34240516
ok that's great!.. I followed it to the letter and so far so good.. however I blocked the control panel for the users but its also blocking for the admin account.
0
 
LVL 7

Accepted Solution

by:
tstritof earned 50 total points
ID: 34240671
Modify "Security Filter" for "TS User Access Lockdown" GPO.

1) Go to AD Users and Computers
2) Create custom security group in AD "Terminal Servers"
3) Create custom security group in AD "TS Users"
4) Assign your RDS the membership in "Terminal Server" security group
5) Assign your remote users (or groups of users) that should be locked down to "TS Users" security group
6) Go to GP management
7) Click the GPO "TS User Access Lockdown"
8) In Security Filtering remove "Authenticated users" and add "Terminal Servers" and "TS Users"

Rerun gpupdate /force on your RD server. Your admin should be OK if he isn't linked in some way to "TS users" security group.

And BTW, please start off with a more generous point budget next time :)

Regards,
Tomislav

0
 

Author Comment

by:BMI-IT
ID: 34241222
tstritof,

Thank you so much for your help, I too wish i had assigned more points but I wasn't expecting such a detailed walkthro..

thank you again
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241947
No problem and good luck!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question