Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

GPO Policy creation under 2008R2

Posted on 2010-11-30
12
Medium Priority
?
547 Views
Last Modified: 2012-05-10
Good Day,

Here is my problem.

We upgraded from w2k Domain to a 2008r2 domain, I got my 2008 TS server running and so far so good, I would like to start on a policy to lock certain parts of the TS server out from the users.

When i go into AD and choose users and computers and make a new OU for this group I cannot see the policy tab as we had in W2K. After searching around I cannot the correct info I need to start this.

can anyone get me started on this?
0
Comment
Question by:BMI-IT
  • 8
  • 4
12 Comments
 
LVL 7

Expert Comment

by:tstritof
ID: 34239150
Try using the Administrative Tools > Group Policy Management.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239184
Also, take some time exploring the options in GP editor, since you'll find many new options especially when Terminal Services (or Remote Desktop Services as they are named in R2) are concerned.
0
 

Author Comment

by:BMI-IT
ID: 34239546
OK thanks, I created a OU called TS Users, I'm guessing I launch the GP Manager on the domain controller and create the new policy under the domain Then assign it to the TS Users OU I created?

Thanks
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Expert Comment

by:tstritof
ID: 34239677
Are these users your normal domain users or do they only log on to terminal server?

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34239702
BTW, to answer the question you create GPOs independently in GP management and then link it to OUs you want. You can even link it to a domain itself.

Note however that it's the terminal server (as far as I understood) not the user you want to link this setting to - am I right?
0
 

Author Comment

by:BMI-IT
ID: 34239804
We have both types of users, some in the office and others in a remote location, the office users log in to TS when traveling, the remote location users are in another facility but use the ts

I'm looking to lock out the control panel, admin tool and other system apps from the users when they login to the TS server. So far I am having zero success, was a lot easier under W2K :)
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240022
OK, This is how it's done:

1) Create an OU and call it "Teminal Servers" (or some other descriptive name)
2) Place your terminal server in that OU through AD
3) In GP management create a new GPO and call it something like "TS User Access Lockdown" (do not modify existing GPOs)
4) Disable processing of computer rules for that GPO (this is only user policy)
5) Link the "TS User Access Lockdown" policy to the "Terminal Servers" OU
6) Edit the "TS User Access Lockdown" GPO and set all user settings you need that should be applied to users logging onto terminal server
7) Create another new GPO and call it something like "Terminal Servers"
8) Disable processing of user rules for that GPO (this is only computer policy)
9) Link the "Terminal Servers" policy to the "Terminal Servers" OU
10) Edit the "Terminal Servers" GPO and set any RDP related settings you need (device mapping...)
11) In this GPO ("Terminal Servers") enable loopback policy processing . This ensures that any normal GP rules applied to users are overriden by user rules in GPOs linked to the "Terminal Servers" OU

To enable loopback processing enable the User Group Policy loopback processing mode policy and set it to Replace for the "Terminal Servers" GPO. This policy is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy container.

Regards,
Tomislav
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34240057
Of course, before you can test if policies are applied you'll have to log on to RD server as administrator and run gpupdate /force in command prompt (or restart the server but the first option is less painfull).

Regards,
Tomislav
0
 

Author Comment

by:BMI-IT
ID: 34240516
ok that's great!.. I followed it to the letter and so far so good.. however I blocked the control panel for the users but its also blocking for the admin account.
0
 
LVL 7

Accepted Solution

by:
tstritof earned 200 total points
ID: 34240671
Modify "Security Filter" for "TS User Access Lockdown" GPO.

1) Go to AD Users and Computers
2) Create custom security group in AD "Terminal Servers"
3) Create custom security group in AD "TS Users"
4) Assign your RDS the membership in "Terminal Server" security group
5) Assign your remote users (or groups of users) that should be locked down to "TS Users" security group
6) Go to GP management
7) Click the GPO "TS User Access Lockdown"
8) In Security Filtering remove "Authenticated users" and add "Terminal Servers" and "TS Users"

Rerun gpupdate /force on your RD server. Your admin should be OK if he isn't linked in some way to "TS users" security group.

And BTW, please start off with a more generous point budget next time :)

Regards,
Tomislav

0
 

Author Comment

by:BMI-IT
ID: 34241222
tstritof,

Thank you so much for your help, I too wish i had assigned more points but I wasn't expecting such a detailed walkthro..

thank you again
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34241947
No problem and good luck!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question