Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

Trouble with Group Policy

I have created a new GPO and made the changes. I linked it to the OU where the servers I wish to apply this policy are stored in. I added the AD groups I need this policy to apply to under the security filtering of the GPO. Only the User configuration is being proccessed. I checked and made sure that the GPO status was set to enabled. If I add the servers to the security filtering it will process regarless of who is logged in. The servers are terminal servers and I need both the computer and user configuration to apply to the AD group term_access and no other group. (Example Domain_Admin) This way when the admins login they are able to see the control panel etc. Ideas?
0
DowntownIT
Asked:
DowntownIT
  • 10
  • 8
1 Solution
 
EvaUnit01Commented:
In security filtering did you take off the "authenticated users group" when you added the AD group?

This AD group, does it just have user accounts?
0
 
DowntownITAuthor Commented:
In security filtering did you take off the "authenticated users group" when you added the AD group?
Yes

This AD group, does it just have user accounts?
Both users and groups
0
 
vervenetworksCommented:
In the case of a terminal server.  You may want to enable the group policy processing mode to loopback, and then use a deny apply for any administrative accounts in the GPO security filtering.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
EvaUnit01Commented:
If you add the servers to the AD group you should be fine. The computer config will be applied to the servers at boot up and the user config will be applied if that user is apart of the AD group only during login.
0
 
EvaUnit01Commented:
Are you saying that you don't want the computer config portion to be applied when you have a domain admin log in?
0
 
DowntownITAuthor Commented:
@vervenetworks
Loop back processing is set to replace. How do I  use a deny apply for any administrative accounts in the GPO security filtering?

@EvaUnit01
yes
0
 
EvaUnit01Commented:
you go to the delegation tab, then hit the advanced button then add the domain admins group and under permissions there is an "apply group policy" option, hit the deny checkbox and thats it!
0
 
DowntownITAuthor Commented:
Bummer, it already is
Untitled.png
0
 
EvaUnit01Commented:
I would suggest running the group policy modeling wizrd of group policy results on a domain admin account and that terminal server
0
 
EvaUnit01Commented:
group policy modeling wizard OR results wizard*
0
 
DowntownITAuthor Commented:
rsop is showing the policy being applied to the domain_admin logging in
0
 
EvaUnit01Commented:
Try the group policy modeling wizard and results wizard though that shows the gpo's which are applied and why. It might explain why the deny group policy is being superseded. RSOP won't show you that information.
0
 
DowntownITAuthor Commented:
Modeling does show that the GPO is being denied for the user confiuration not computer configuration
0
 
EvaUnit01Commented:
Right, of course. The computer configuration is independent of users, it applies whatever you specify to that computer before login even happens. It applies user configurations once you login, which is why the USER config is being denied. I apologize about that.

I am not certain that you can deny a computer config for a select user. Like I said they are independent of each other. If I may ask what computer settings exactly are you applying that you don't want affecting your domain admin?
0
 
DowntownITAuthor Commented:
Disabling Windows Installer
On the old 2003 TS somehow someway a user with user permissons was able to install a screensaver software package. I was trying to log down this.
0
 
DowntownITAuthor Commented:
lock it down

sorry
0
 
EvaUnit01Commented:
That should not happen at all, are you certain that user in question didn't have admin rights on the server? Can this user account still install anything on the server? Is it possible this user somehow got a hold of an accounts credentials that has admin privileges to that server?

A regular old user just cannot install things on a server, impossible. I have setup a GPO on my domain which specifies the only user/group accounts that are able to be apart of the administrators group for a local PC. Perhaps this solution could work for you?
0
 
DowntownITAuthor Commented:
I don't know, it was before my time. Anyway thanks for you help!!
0
 
EvaUnit01Commented:
Well technically I have it placed in an OU where all sub OUs hold Workstations and not Servers.

You can configure this in: computer config --> windows settings --> secuirity settings --> restricted groups. Any computer which you do not want to apply this GPO to you can add to the secuirity permissions and hit the deny group policy checkbox.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Control the membership of the local Administrators group on all client computers to include the following accounts:

    * Administrator (local SAM account)
    * Domain Admins
    * SMS or other remote admin domain account
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now