Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

GPMC OU ISSUE

Posted on 2011-02-24
8
596 Views
Last Modified: 2013-11-21
I have a clean install of win 2003 & sp2, dns, dhcp & Terminal Server & gpmc added.
At the moment all I have done in gpmc is created an OU - called Terminal Server and created a group in gpmc and allow potential user access, when I allow host pc's to connect to the Terminal Server

1. What is the correct process for creating user accounts, do I create them in AD first or gpmc?
2. When creating OU's do I create them first in GPMC?
3. I cannot see my OU - called Terminal Server in AD?
0
Comment
Question by:mikey250
  • 4
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 34970784
The user accounts and OU should be created in AD
Note you MUST put the USER ACCOUNTS in the OU - placing the users in a security group and then putting the group in the OU will not result in a policy that is applied to ti OU affecting the users

GROUP POLICY does not affect GROUPS !
0
 

Author Comment

by:mikey250
ID: 34971087
ok i thought so but wasnt sure when i installed gpmc.  so what i will do is:

- create all users in AD
- create  OU and within add a Group

What else do i do?

According to my gpmc instructions I will create and link a gpo to an OU and also create a 'Restricted Group' and this is the recommended way for allowing users to access Terminal Server, once I've enabled RDP on the Master DC.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 34971279
after creating an OU in AD.  i then did the following:

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.
----------------------------------
step 2

To add a domain group to the Remote Desktop Users group via Group Policy

1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 35014694
Why are you even using Group Policy?  All the mechanisms are already in place,...there is no point in the group Policy.

1. Create a Security Group to use for Terminal Server Users.  Name it whatever you want to name it.  Location of OUs don't matter.

2. Add the Desired Users to the Group.

3. Log into the Console (Desktop) of the Terminal Server itself.  Right-Click on "My Computer" and choose "Manage".  Go to the Groups Node and open the properties of the built in Local Group for Terminal Server Users.  The name of the Group will make it obvious what it is.  Add the Group you created earlier to this group.

4. Done.   No GPO used.  You probably could use GPO's Restricted Groups Feature to add the Membership to the Local Terminal Server Group, but that is just needless pointless excess complexity unless you are dealing with a 100 Terminal Servers or something like that.

5. Now when you want to give users TS abilities just add them to the Domain Group you created.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 35016412
yes GPO's 'Restricted Group' IS what ive used as above and linked it to the OU Terminal Server on my Master DC.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.


When following the above instructions ive ended up NOT only with a 'Restricted Gp' which is ok but ive also created a 'Terminal Server', which i have just ignored but left in place and continued with instructions about 'Restricted Gp'

But from this main thread question it has been answered so will leave it at that and thanks for advice.
0
 

Author Closing Comment

by:mikey250
ID: 35312542
although ive selected 2 of my own boxes it is only to follow my instructions if i need them as the expert on the last thread mentioned that only if 100 Terminal Servers or more were being used then using GPO maybe neccessary.  Otherwise it was not needed.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question