troubleshooting Question

Understanding GPO, OU and User Groups in TS/RDC Environments

Avatar of wfgllc
wfgllc asked on
Windows Server 2003Active DirectoryWindows Server 2008
1 Comment1 Solution411 ViewsLast Modified:
I need help understanding the relationship of the “Terminal Service Users Groups” and the “Remote desktop users group” as they mix in Active Directory with organizational units (OU’s) and group policy objects (GPO’s).

I have a GPO that has some desirable things for folks using TS or RDC, like a setting to hide the control panel.  OU’s appear in the group policy management console and the active directory users and computers console; GPO’s are applied to OU’s – got it.

In Active Directory Users and Computer, by putting people in a certain OU, and on the GPM side, applying a GPO to an OU, then the users (or computer) will get the GP settings applied.

In a best practices approach, I should combine all of my TS/RDC restrictions into one GPO.  Then apply the GPO to any OU (HR, marketing, finance) that might need access to this new terminal server, right?

Question 1:  The domain is 2003 and the RDC is 2008; how do the entries of the GPO align?  Are there some missing settings because the domain is 2003?

Question 2: Let’s say Bob signs on to his PC. He’s in (group policy management) the marketing OU, which has a GPO with TS/RDC restrictions applied.  None of this kicks in until Bob makes an RDC connection, right?

In the AD users and computers “member of” tab, I see Bob is a member of: domain users, marketing group and remote desktop users.

Question 3:   Bob can’t sign in to the new RDC server, because he’s missing the Terminal services users membership.  If I give Bob that group, then he can TS into my domain controllers, in addition to the one new RDC server with the application he really needs.  How do I let Bob have access to one specific RDC server, but keep him out of my domain controllers?
Director of Information Technology

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros