Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Design the right policy scope for terminal server so that users can open control pannel and etc...

Posted on 2011-02-16
2
Medium Priority
?
279 Views
Last Modified: 2012-05-11
hi all

i started to get mixed-up with how to implement policy to the terminal server.

lets start with a single policy i getting trouble to implement as an example.

the policy is to restricte the user access to the control pannel in the terminal server.

how do i do that?

i have 2 policies, one the defualt domain policy and one for the defualt domain conntrolers policy.

i want that this policy will only apply to the specific server and will not arrive to the users pesonal computers.

problem is that i dont see any policy that blocks control pannel access in the computer configuration, only in the user configuration.

but when i using this policy in the user configuration and apply the policy scope only to the OU where the terminal server lives, then the GPO doent apply, so i guss that is because the user/s are not in same OU that the server exist, therefore the policy in the user configuration doesnt apply?

i cant use the scope to all of the domain because this policy is in the user level and will apply to all computers in the domain , and i dont have this specific policy in the computer level in server 2003 so i cant just apply it to the treminal server OU.

how do i implement that? the only thing i can thing about is something not pretty at all like putiign all the users that use this terminal server and the terminal server computer account in the same OU.

please advice...thanks...
0
Comment
Question by:ymg800
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 34905789
You need to create an OU where you store your TSE server (which shoudn't be a DC).
Then you create a GPO and link it to your OU where TSE server is stored.
Edit this policy and activate the loopback policy feature (in replace mode) http://technet.microsoft.com/en-us/library/cc757470%28WS.10%29.aspx
Edit all users settings that you want in this policy, all users connecting to TSE will get the correct user settings applied to TSE server.
0
 

Author Comment

by:ymg800
ID: 34906611
well it's working!! and i thinkg i got my mistake...
i I thought that loopback policy telling to apply the computer policy first and then the user policy second inside the SAME GPO policy, but that not how it work, it telling him to apply the ALL policy for the correct OBJECT (the computer) to take precedence over ANOTHER  policy that linked to the USER OBJECT,
meanning the precedence is over to set of diffrence policies which one applied to the computer and one to the user OBJECT, and it's dont determine the procedence over computer / user setting in the SAME gpo,  can u confirm that was my mistake ?


 but i dont understand why there isnt any policy that blocks the computer controll pannel in the computer configuratuion?

if there is no meanning to whatever the setting in the computer level inside a GPO or the USER lever inside the same GPO so why they are seperated? is that only for convenience reasons?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question