Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Seperating group policy from workstation and terminal server

Posted on 2011-03-01
5
Medium Priority
?
694 Views
Last Modified: 2012-08-13
      I have users at a remote site that are logged in to the domain via VPN, They also use remote desktop connection from that workstation to connect to Terminal server to do their work. Because of certain software we run the users have to be local administrators on the TS, this poses a problem because they can then shut off the TS. To prevent this we set up a group policy for terminal server users, this worked fine and removed the option to shut down on the terminal server. Unfortunately they have also lost the ability to shut down on their workstation as well. Is there any way to limit this policy to the TS ONLY?
0
Comment
Question by:Mcottuli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 35007710
You can create separate OU and move there TS servers. Link GPO to that OU. Or use GPO Security Filtering to apply GPO only to TS server(s)
More about GPO Security Filtering at
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

or you can try doing this with my guide (for process overview)
 Group-Policy-Security-Filtering.pdf

Regards,
Krzysztof
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35007726
You should activate LoopBack processing mode on a GPO assigned to your server.
therefore each user connecting to your TSE server will receive only user part settings assigned on your TSE GPO.

Review this : http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_1876-Understanding-Group-Policy-Loopback-Processing.html
0
 
LVL 11

Accepted Solution

by:
yelbaglf earned 2000 total points
ID: 35007759
This setting is a User Config setting, which means it applies to the user and not the computer/server.  The way to resolve this is to have your terminal servers in a separate OU.

From there, you set your group policy up on the term svcs OU and use loopback policy processing, so that it only applies to the users when they are logged into a terminal server.
http://support.microsoft.com/kb/231287
0
 
LVL 1

Author Comment

by:Mcottuli
ID: 35011617
Well I have enabled the group policy loopback processing mode. Created a new OU with the TSE in it and moved the Terminal server users policy into that OU. But I don't know how to link the loopback to the new TSE OU. Excuse my ignorance I'm reletiviely new to AD.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 35011771
Under your Group Policy Mgmt console...

GPMC > Forest > Domain > 'TSE OU'

Right-Click this OU, and choose Link an Existing GPO.  Then choose your newly created GPO.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question