Trouble with Group Policy
I have created a new GPO and made the changes. I linked it to the OU where the servers I wish to apply this policy are stored in. I added the AD groups I need this policy to apply to under the security filtering of the GPO. Only the User configuration is being proccessed. I checked and made sure that the GPO status was set to enabled. If I add the servers to the security filtering it will process regarless of who is logged in. The servers are terminal servers and I need both the computer and user configuration to apply to the AD group term_access and no other group. (Example Domain_Admin) This way when the admins login they are able to see the control panel etc. Ideas?
ASKER
In security filtering did you take off the "authenticated users group" when you added the AD group?
Yes
This AD group, does it just have user accounts?
Both users and groups
Yes
This AD group, does it just have user accounts?
Both users and groups
In the case of a terminal server. You may want to enable the group policy processing mode to loopback, and then use a deny apply for any administrative accounts in the GPO security filtering.
If you add the servers to the AD group you should be fine. The computer config will be applied to the servers at boot up and the user config will be applied if that user is apart of the AD group only during login.
Are you saying that you don't want the computer config portion to be applied when you have a domain admin log in?
ASKER
@vervenetworks
Loop back processing is set to replace. How do I use a deny apply for any administrative accounts in the GPO security filtering?
@EvaUnit01
yes
Loop back processing is set to replace. How do I use a deny apply for any administrative accounts in the GPO security filtering?
@EvaUnit01
yes
you go to the delegation tab, then hit the advanced button then add the domain admins group and under permissions there is an "apply group policy" option, hit the deny checkbox and thats it!
ASKER
Bummer, it already is
Untitled.png
Untitled.png
I would suggest running the group policy modeling wizrd of group policy results on a domain admin account and that terminal server
group policy modeling wizard OR results wizard*
ASKER
rsop is showing the policy being applied to the domain_admin logging in
Try the group policy modeling wizard and results wizard though that shows the gpo's which are applied and why. It might explain why the deny group policy is being superseded. RSOP won't show you that information.
ASKER
Modeling does show that the GPO is being denied for the user confiuration not computer configuration
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Disabling Windows Installer
On the old 2003 TS somehow someway a user with user permissons was able to install a screensaver software package. I was trying to log down this.
On the old 2003 TS somehow someway a user with user permissons was able to install a screensaver software package. I was trying to log down this.
ASKER
lock it down
sorry
sorry
That should not happen at all, are you certain that user in question didn't have admin rights on the server? Can this user account still install anything on the server? Is it possible this user somehow got a hold of an accounts credentials that has admin privileges to that server?
A regular old user just cannot install things on a server, impossible. I have setup a GPO on my domain which specifies the only user/group accounts that are able to be apart of the administrators group for a local PC. Perhaps this solution could work for you?
A regular old user just cannot install things on a server, impossible. I have setup a GPO on my domain which specifies the only user/group accounts that are able to be apart of the administrators group for a local PC. Perhaps this solution could work for you?
ASKER
I don't know, it was before my time. Anyway thanks for you help!!
Well technically I have it placed in an OU where all sub OUs hold Workstations and not Servers.
You can configure this in: computer config --> windows settings --> secuirity settings --> restricted groups. Any computer which you do not want to apply this GPO to you can add to the secuirity permissions and hit the deny group policy checkbox.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Control the membership of the local Administrators group on all client computers to include the following accounts:
* Administrator (local SAM account)
* Domain Admins
* SMS or other remote admin domain account
You can configure this in: computer config --> windows settings --> secuirity settings --> restricted groups. Any computer which you do not want to apply this GPO to you can add to the secuirity permissions and hit the deny group policy checkbox.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Control the membership of the local Administrators group on all client computers to include the following accounts:
* Administrator (local SAM account)
* Domain Admins
* SMS or other remote admin domain account
This AD group, does it just have user accounts?