• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

GPMC OU ISSUE

I have a clean install of win 2003 & sp2, dns, dhcp & Terminal Server & gpmc added.
At the moment all I have done in gpmc is created an OU - called Terminal Server and created a group in gpmc and allow potential user access, when I allow host pc's to connect to the Terminal Server

1. What is the correct process for creating user accounts, do I create them in AD first or gpmc?
2. When creating OU's do I create them first in GPMC?
3. I cannot see my OU - called Terminal Server in AD?
0
mikey250
Asked:
mikey250
  • 4
4 Solutions
 
KCTSCommented:
The user accounts and OU should be created in AD
Note you MUST put the USER ACCOUNTS in the OU - placing the users in a security group and then putting the group in the OU will not result in a policy that is applied to ti OU affecting the users

GROUP POLICY does not affect GROUPS !
0
 
mikey250Author Commented:
ok i thought so but wasnt sure when i installed gpmc.  so what i will do is:

- create all users in AD
- create  OU and within add a Group

What else do i do?

According to my gpmc instructions I will create and link a gpo to an OU and also create a 'Restricted Group' and this is the recommended way for allowing users to access Terminal Server, once I've enabled RDP on the Master DC.
0
 
mikey250Author Commented:
after creating an OU in AD.  i then did the following:

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.
----------------------------------
step 2

To add a domain group to the Remote Desktop Users group via Group Policy

1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
pwindellCommented:
Why are you even using Group Policy?  All the mechanisms are already in place,...there is no point in the group Policy.

1. Create a Security Group to use for Terminal Server Users.  Name it whatever you want to name it.  Location of OUs don't matter.

2. Add the Desired Users to the Group.

3. Log into the Console (Desktop) of the Terminal Server itself.  Right-Click on "My Computer" and choose "Manage".  Go to the Groups Node and open the properties of the built in Local Group for Terminal Server Users.  The name of the Group will make it obvious what it is.  Add the Group you created earlier to this group.

4. Done.   No GPO used.  You probably could use GPO's Restricted Groups Feature to add the Membership to the Local Terminal Server Group, but that is just needless pointless excess complexity unless you are dealing with a 100 Terminal Servers or something like that.

5. Now when you want to give users TS abilities just add them to the Domain Group you created.
0
 
mikey250Author Commented:
yes GPO's 'Restricted Group' IS what ive used as above and linked it to the OU Terminal Server on my Master DC.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.


When following the above instructions ive ended up NOT only with a 'Restricted Gp' which is ok but ive also created a 'Terminal Server', which i have just ignored but left in place and continued with instructions about 'Restricted Gp'

But from this main thread question it has been answered so will leave it at that and thanks for advice.
0
 
mikey250Author Commented:
although ive selected 2 of my own boxes it is only to follow my instructions if i need them as the expert on the last thread mentioned that only if 100 Terminal Servers or more were being used then using GPO maybe neccessary.  Otherwise it was not needed.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now