?
Solved

GPMC OU ISSUE

Posted on 2011-02-24
8
Medium Priority
?
600 Views
Last Modified: 2013-11-21
I have a clean install of win 2003 & sp2, dns, dhcp & Terminal Server & gpmc added.
At the moment all I have done in gpmc is created an OU - called Terminal Server and created a group in gpmc and allow potential user access, when I allow host pc's to connect to the Terminal Server

1. What is the correct process for creating user accounts, do I create them in AD first or gpmc?
2. When creating OU's do I create them first in GPMC?
3. I cannot see my OU - called Terminal Server in AD?
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1000 total points
ID: 34970784
The user accounts and OU should be created in AD
Note you MUST put the USER ACCOUNTS in the OU - placing the users in a security group and then putting the group in the OU will not result in a policy that is applied to ti OU affecting the users

GROUP POLICY does not affect GROUPS !
0
 

Author Comment

by:mikey250
ID: 34971087
ok i thought so but wasnt sure when i installed gpmc.  so what i will do is:

- create all users in AD
- create  OU and within add a Group

What else do i do?

According to my gpmc instructions I will create and link a gpo to an OU and also create a 'Restricted Group' and this is the recommended way for allowing users to access Terminal Server, once I've enabled RDP on the Master DC.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 34971279
after creating an OU in AD.  i then did the following:

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.
----------------------------------
step 2

To add a domain group to the Remote Desktop Users group via Group Policy

1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 35014694
Why are you even using Group Policy?  All the mechanisms are already in place,...there is no point in the group Policy.

1. Create a Security Group to use for Terminal Server Users.  Name it whatever you want to name it.  Location of OUs don't matter.

2. Add the Desired Users to the Group.

3. Log into the Console (Desktop) of the Terminal Server itself.  Right-Click on "My Computer" and choose "Manage".  Go to the Groups Node and open the properties of the built in Local Group for Terminal Server Users.  The name of the Group will make it obvious what it is.  Add the Group you created earlier to this group.

4. Done.   No GPO used.  You probably could use GPO's Restricted Groups Feature to add the Membership to the Local Terminal Server Group, but that is just needless pointless excess complexity unless you are dealing with a 100 Terminal Servers or something like that.

5. Now when you want to give users TS abilities just add them to the Domain Group you created.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 35016412
yes GPO's 'Restricted Group' IS what ive used as above and linked it to the OU Terminal Server on my Master DC.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.


When following the above instructions ive ended up NOT only with a 'Restricted Gp' which is ok but ive also created a 'Terminal Server', which i have just ignored but left in place and continued with instructions about 'Restricted Gp'

But from this main thread question it has been answered so will leave it at that and thanks for advice.
0
 

Author Closing Comment

by:mikey250
ID: 35312542
although ive selected 2 of my own boxes it is only to follow my instructions if i need them as the expert on the last thread mentioned that only if 100 Terminal Servers or more were being used then using GPO maybe neccessary.  Otherwise it was not needed.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question