wfgllc
asked on
Understanding GPO, OU and User Groups in TS/RDC Environments
I need help understanding the relationship of the “Terminal Service Users Groups” and the “Remote desktop users group” as they mix in Active Directory with organizational units (OU’s) and group policy objects (GPO’s).
I have a GPO that has some desirable things for folks using TS or RDC, like a setting to hide the control panel. OU’s appear in the group policy management console and the active directory users and computers console; GPO’s are applied to OU’s – got it.
In Active Directory Users and Computer, by putting people in a certain OU, and on the GPM side, applying a GPO to an OU, then the users (or computer) will get the GP settings applied.
In a best practices approach, I should combine all of my TS/RDC restrictions into one GPO. Then apply the GPO to any OU (HR, marketing, finance) that might need access to this new terminal server, right?
Question 1: The domain is 2003 and the RDC is 2008; how do the entries of the GPO align? Are there some missing settings because the domain is 2003?
Question 2: Let’s say Bob signs on to his PC. He’s in (group policy management) the marketing OU, which has a GPO with TS/RDC restrictions applied. None of this kicks in until Bob makes an RDC connection, right?
In the AD users and computers “member of” tab, I see Bob is a member of: domain users, marketing group and remote desktop users.
Question 3: Bob can’t sign in to the new RDC server, because he’s missing the Terminal services users membership. If I give Bob that group, then he can TS into my domain controllers, in addition to the one new RDC server with the application he really needs. How do I let Bob have access to one specific RDC server, but keep him out of my domain controllers?
I have a GPO that has some desirable things for folks using TS or RDC, like a setting to hide the control panel. OU’s appear in the group policy management console and the active directory users and computers console; GPO’s are applied to OU’s – got it.
In Active Directory Users and Computer, by putting people in a certain OU, and on the GPM side, applying a GPO to an OU, then the users (or computer) will get the GP settings applied.
In a best practices approach, I should combine all of my TS/RDC restrictions into one GPO. Then apply the GPO to any OU (HR, marketing, finance) that might need access to this new terminal server, right?
Question 1: The domain is 2003 and the RDC is 2008; how do the entries of the GPO align? Are there some missing settings because the domain is 2003?
Question 2: Let’s say Bob signs on to his PC. He’s in (group policy management) the marketing OU, which has a GPO with TS/RDC restrictions applied. None of this kicks in until Bob makes an RDC connection, right?
In the AD users and computers “member of” tab, I see Bob is a member of: domain users, marketing group and remote desktop users.
Question 3: Bob can’t sign in to the new RDC server, because he’s missing the Terminal services users membership. If I give Bob that group, then he can TS into my domain controllers, in addition to the one new RDC server with the application he really needs. How do I let Bob have access to one specific RDC server, but keep him out of my domain controllers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.