• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

Seperating group policy from workstation and terminal server

      I have users at a remote site that are logged in to the domain via VPN, They also use remote desktop connection from that workstation to connect to Terminal server to do their work. Because of certain software we run the users have to be local administrators on the TS, this poses a problem because they can then shut off the TS. To prevent this we set up a group policy for terminal server users, this worked fine and removed the option to shut down on the terminal server. Unfortunately they have also lost the ability to shut down on their workstation as well. Is there any way to limit this policy to the TS ONLY?
1 Solution
Krzysztof PytkoSenior Active Directory EngineerCommented:
You can create separate OU and move there TS servers. Link GPO to that OU. Or use GPO Security Filtering to apply GPO only to TS server(s)
More about GPO Security Filtering at

or you can try doing this with my guide (for process overview)

You should activate LoopBack processing mode on a GPO assigned to your server.
therefore each user connecting to your TSE server will receive only user part settings assigned on your TSE GPO.

Review this : http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html
This setting is a User Config setting, which means it applies to the user and not the computer/server.  The way to resolve this is to have your terminal servers in a separate OU.

From there, you set your group policy up on the term svcs OU and use loopback policy processing, so that it only applies to the users when they are logged into a terminal server.
McottuliAuthor Commented:
Well I have enabled the group policy loopback processing mode. Created a new OU with the TSE in it and moved the Terminal server users policy into that OU. But I don't know how to link the loopback to the new TSE OU. Excuse my ignorance I'm reletiviely new to AD.
Under your Group Policy Mgmt console...

GPMC > Forest > Domain > 'TSE OU'

Right-Click this OU, and choose Link an Existing GPO.  Then choose your newly created GPO.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now