Solved

GPMC OU ISSUE

Posted on 2011-02-24
8
593 Views
Last Modified: 2013-11-21
I have a clean install of win 2003 & sp2, dns, dhcp & Terminal Server & gpmc added.
At the moment all I have done in gpmc is created an OU - called Terminal Server and created a group in gpmc and allow potential user access, when I allow host pc's to connect to the Terminal Server

1. What is the correct process for creating user accounts, do I create them in AD first or gpmc?
2. When creating OU's do I create them first in GPMC?
3. I cannot see my OU - called Terminal Server in AD?
0
Comment
Question by:mikey250
  • 4
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 34970784
The user accounts and OU should be created in AD
Note you MUST put the USER ACCOUNTS in the OU - placing the users in a security group and then putting the group in the OU will not result in a policy that is applied to ti OU affecting the users

GROUP POLICY does not affect GROUPS !
0
 

Author Comment

by:mikey250
ID: 34971087
ok i thought so but wasnt sure when i installed gpmc.  so what i will do is:

- create all users in AD
- create  OU and within add a Group

What else do i do?

According to my gpmc instructions I will create and link a gpo to an OU and also create a 'Restricted Group' and this is the recommended way for allowing users to access Terminal Server, once I've enabled RDP on the Master DC.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 34971279
after creating an OU in AD.  i then did the following:

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.
----------------------------------
step 2

To add a domain group to the Remote Desktop Users group via Group Policy

1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 35014694
Why are you even using Group Policy?  All the mechanisms are already in place,...there is no point in the group Policy.

1. Create a Security Group to use for Terminal Server Users.  Name it whatever you want to name it.  Location of OUs don't matter.

2. Add the Desired Users to the Group.

3. Log into the Console (Desktop) of the Terminal Server itself.  Right-Click on "My Computer" and choose "Manage".  Go to the Groups Node and open the properties of the built in Local Group for Terminal Server Users.  The name of the Group will make it obvious what it is.  Add the Group you created earlier to this group.

4. Done.   No GPO used.  You probably could use GPO's Restricted Groups Feature to add the Membership to the Local Terminal Server Group, but that is just needless pointless excess complexity unless you are dealing with a 100 Terminal Servers or something like that.

5. Now when you want to give users TS abilities just add them to the Domain Group you created.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 35016412
yes GPO's 'Restricted Group' IS what ive used as above and linked it to the OU Terminal Server on my Master DC.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.


When following the above instructions ive ended up NOT only with a 'Restricted Gp' which is ok but ive also created a 'Terminal Server', which i have just ignored but left in place and continued with instructions about 'Restricted Gp'

But from this main thread question it has been answered so will leave it at that and thanks for advice.
0
 

Author Closing Comment

by:mikey250
ID: 35312542
although ive selected 2 of my own boxes it is only to follow my instructions if i need them as the expert on the last thread mentioned that only if 100 Terminal Servers or more were being used then using GPO maybe neccessary.  Otherwise it was not needed.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now