Solved

Trouble with Group Policy

Posted on 2011-03-17
19
413 Views
Last Modified: 2012-05-11
I have created a new GPO and made the changes. I linked it to the OU where the servers I wish to apply this policy are stored in. I added the AD groups I need this policy to apply to under the security filtering of the GPO. Only the User configuration is being proccessed. I checked and made sure that the GPO status was set to enabled. If I add the servers to the security filtering it will process regarless of who is logged in. The servers are terminal servers and I need both the computer and user configuration to apply to the AD group term_access and no other group. (Example Domain_Admin) This way when the admins login they are able to see the control panel etc. Ideas?
0
Comment
Question by:DowntownIT
  • 10
  • 8
19 Comments
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35157897
In security filtering did you take off the "authenticated users group" when you added the AD group?

This AD group, does it just have user accounts?
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35157927
In security filtering did you take off the "authenticated users group" when you added the AD group?
Yes

This AD group, does it just have user accounts?
Both users and groups
0
 
LVL 3

Expert Comment

by:vervenetworks
ID: 35157983
In the case of a terminal server.  You may want to enable the group policy processing mode to loopback, and then use a deny apply for any administrative accounts in the GPO security filtering.
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158042
If you add the servers to the AD group you should be fine. The computer config will be applied to the servers at boot up and the user config will be applied if that user is apart of the AD group only during login.
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158054
Are you saying that you don't want the computer config portion to be applied when you have a domain admin log in?
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35158060
@vervenetworks
Loop back processing is set to replace. How do I  use a deny apply for any administrative accounts in the GPO security filtering?

@EvaUnit01
yes
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158077
you go to the delegation tab, then hit the advanced button then add the domain admins group and under permissions there is an "apply group policy" option, hit the deny checkbox and thats it!
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35158113
Bummer, it already is
Untitled.png
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158139
I would suggest running the group policy modeling wizrd of group policy results on a domain admin account and that terminal server
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158177
group policy modeling wizard OR results wizard*
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35158486
rsop is showing the policy being applied to the domain_admin logging in
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35158812
Try the group policy modeling wizard and results wizard though that shows the gpo's which are applied and why. It might explain why the deny group policy is being superseded. RSOP won't show you that information.
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35158983
Modeling does show that the GPO is being denied for the user confiuration not computer configuration
0
 
LVL 3

Accepted Solution

by:
EvaUnit01 earned 500 total points
ID: 35159143
Right, of course. The computer configuration is independent of users, it applies whatever you specify to that computer before login even happens. It applies user configurations once you login, which is why the USER config is being denied. I apologize about that.

I am not certain that you can deny a computer config for a select user. Like I said they are independent of each other. If I may ask what computer settings exactly are you applying that you don't want affecting your domain admin?
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35159185
Disabling Windows Installer
On the old 2003 TS somehow someway a user with user permissons was able to install a screensaver software package. I was trying to log down this.
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35159189
lock it down

sorry
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35159244
That should not happen at all, are you certain that user in question didn't have admin rights on the server? Can this user account still install anything on the server? Is it possible this user somehow got a hold of an accounts credentials that has admin privileges to that server?

A regular old user just cannot install things on a server, impossible. I have setup a GPO on my domain which specifies the only user/group accounts that are able to be apart of the administrators group for a local PC. Perhaps this solution could work for you?
0
 
LVL 2

Author Comment

by:DowntownIT
ID: 35159282
I don't know, it was before my time. Anyway thanks for you help!!
0
 
LVL 3

Expert Comment

by:EvaUnit01
ID: 35159327
Well technically I have it placed in an OU where all sub OUs hold Workstations and not Servers.

You can configure this in: computer config --> windows settings --> secuirity settings --> restricted groups. Any computer which you do not want to apply this GPO to you can add to the secuirity permissions and hit the deny group policy checkbox.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Control the membership of the local Administrators group on all client computers to include the following accounts:

    * Administrator (local SAM account)
    * Domain Admins
    * SMS or other remote admin domain account
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now