Solved

GPMC OU ISSUE

Posted on 2011-02-24
8
592 Views
Last Modified: 2013-11-21
I have a clean install of win 2003 & sp2, dns, dhcp & Terminal Server & gpmc added.
At the moment all I have done in gpmc is created an OU - called Terminal Server and created a group in gpmc and allow potential user access, when I allow host pc's to connect to the Terminal Server

1. What is the correct process for creating user accounts, do I create them in AD first or gpmc?
2. When creating OU's do I create them first in GPMC?
3. I cannot see my OU - called Terminal Server in AD?
0
Comment
Question by:mikey250
  • 4
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 34970784
The user accounts and OU should be created in AD
Note you MUST put the USER ACCOUNTS in the OU - placing the users in a security group and then putting the group in the OU will not result in a policy that is applied to ti OU affecting the users

GROUP POLICY does not affect GROUPS !
0
 

Author Comment

by:mikey250
ID: 34971087
ok i thought so but wasnt sure when i installed gpmc.  so what i will do is:

- create all users in AD
- create  OU and within add a Group

What else do i do?

According to my gpmc instructions I will create and link a gpo to an OU and also create a 'Restricted Group' and this is the recommended way for allowing users to access Terminal Server, once I've enabled RDP on the Master DC.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 34971279
after creating an OU in AD.  i then did the following:

Centrally enable Remote Desktop using Group Policy
It is recommended as a best practice to centrally enable Remote Desktop for all your terminal servers. Group Policy will allow you to centrally configure all your terminal servers instead of configuring the properties for each terminal server.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.
----------------------------------
step 2

To add a domain group to the Remote Desktop Users group via Group Policy

1.To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO named Restricted Groups to the terminal server OU.

3.Right-click the Restricted Groups GPO linked to the terminal server OU, and then click Edit.

4.You can configure the Restricted Groups setting in the following location in Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

5.Right-click Restricted Groups and then click Add Group.

6.Click Browse, click Locations, select the locations you want to browse, and then click OK.

7.Type Remote Desktop Users in the Enter the object names to select text box and then click Check Names. Or, click Advanced, and then click Find Now to list all available groups.

8.Click the Remote Desktop Users group and then click OK.

9.Click OK in the Add Groups dialog box to close it. The Remote Desktop Users Properties dialog box is then displayed.

10.Click Add in the Members of this group section of the dialog box.

11.Click Browse.

12.Type the name of the domain group in the Select Users or Groups dialog box. Click Check Names, and then click OK to close this dialog box.

13.Click OK to close this dialog box to finish adding the domain group to the Remote Desktop Users group.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 35014694
Why are you even using Group Policy?  All the mechanisms are already in place,...there is no point in the group Policy.

1. Create a Security Group to use for Terminal Server Users.  Name it whatever you want to name it.  Location of OUs don't matter.

2. Add the Desired Users to the Group.

3. Log into the Console (Desktop) of the Terminal Server itself.  Right-Click on "My Computer" and choose "Manage".  Go to the Groups Node and open the properties of the built in Local Group for Terminal Server Users.  The name of the Group will make it obvious what it is.  Add the Group you created earlier to this group.

4. Done.   No GPO used.  You probably could use GPO's Restricted Groups Feature to add the Membership to the Local Terminal Server Group, but that is just needless pointless excess complexity unless you are dealing with a 100 Terminal Servers or something like that.

5. Now when you want to give users TS abilities just add them to the Domain Group you created.
0
 

Assisted Solution

by:mikey250
mikey250 earned 0 total points
ID: 35016412
yes GPO's 'Restricted Group' IS what ive used as above and linked it to the OU Terminal Server on my Master DC.

step 1

To centrally enable Remote Desktop using Group Policy

1.To open Group Policy Management Console (GPMC), click Start, click Run, and then type GPMC.msc.

2.Create and link a GPO to the terminal server OU.

3.Right-click the GPO linked to the terminal server OU, and then click Edit.

4.In Computer Configuration\Administrative Templates\Windows Components\ Terminal Services, double-click the Allow users to connect remotely using Terminal Services policy setting.

5.Click Enabled.

6.Click OK.


When following the above instructions ive ended up NOT only with a 'Restricted Gp' which is ok but ive also created a 'Terminal Server', which i have just ignored but left in place and continued with instructions about 'Restricted Gp'

But from this main thread question it has been answered so will leave it at that and thanks for advice.
0
 

Author Closing Comment

by:mikey250
ID: 35312542
although ive selected 2 of my own boxes it is only to follow my instructions if i need them as the expert on the last thread mentioned that only if 100 Terminal Servers or more were being used then using GPO maybe neccessary.  Otherwise it was not needed.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now