psanjoy
asked on
Terminal server access restriction
I need to grant terminal server access to a specific group of users with limited rights(only shutdown, log off and Restart) through Group policy.
Please advice
Please advice
ASKER
Thanks for your support.
I have created a GP object and linked to servers OU. How can I link same to a specific group of users?
I have created a GP object and linked to servers OU. How can I link same to a specific group of users?
Oh remember there'll be a time delay before the policies take affect and some (machine based) may require a restart of the servers whilst others (user based) may require a logoff and logon to take affect.
Worth bearing in mind if you have a policy or two that don't appear to kick in.
Also - you may want to be careful. When you say you've applied the policy to the servers OU if this is all servers and not just terminal servers, it'll apply across them all and you may get unintended results.
Worth bearing in mind if you have a policy or two that don't appear to kick in.
Also - you may want to be careful. When you say you've applied the policy to the servers OU if this is all servers and not just terminal servers, it'll apply across them all and you may get unintended results.
ASKER
Thanks for your support.
I have created a GP object and linked to servers OU and applied to a specific group. I added effective user to the Remote Desktop users group of linked servers too.
But still the policy doesnt work properly. pls help me
I have created a GP object and linked to servers OU and applied to a specific group. I added effective user to the Remote Desktop users group of linked servers too.
But still the policy doesnt work properly. pls help me
Which settings did you apply?
If they are computer settings, remember to enable loopback policy processing in the group policy.
If they are computer settings, remember to enable loopback policy processing in the group policy.
ASKER
User configuration-> Admin Templates-> Start menu and Taskbar then provided restricions.
Not being overwritten by other policies?
On one of the servers, can you log in as one of the (non) affected users and run rsop.msc ?
This will then tell if the policies are at least being deployed.
On one of the servers, can you log in as one of the (non) affected users and run rsop.msc ?
This will then tell if the policies are at least being deployed.
ASKER
How can I provide SHUTDOWN permissions to Remote desktop users..?
Group policy.
But it's there by default and the following removes it:
Computer Configuration > Administration Templates > System > Remove boot/ Shutdown/ logon / logoff status
Respecfully though, that's a separate issue to the one you originally raised and really should be a new question.
But it's there by default and the following removes it:
Computer Configuration > Administration Templates > System > Remove boot/ Shutdown/ logon / logoff status
Respecfully though, that's a separate issue to the one you originally raised and really should be a new question.
ASKER
First of all, I am really sorry if I have confused you.
My exact requirement is that we have few site offices with ISA servers. I just need to provide 'Shutdown privilege only' to Site -IT Administrators only these ISA servers.
Therefore, I have created separate OU on Active directory and added those ISA server into that.
Please help me to create a GP with only SHUTDOWN rights on Remote Desktop access to these servers.
My exact requirement is that we have few site offices with ISA servers. I just need to provide 'Shutdown privilege only' to Site -IT Administrators only these ISA servers.
Therefore, I have created separate OU on Active directory and added those ISA server into that.
Please help me to create a GP with only SHUTDOWN rights on Remote Desktop access to these servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have done the below configurations on GPO for the AD group and server container.. Please check.
* I have created a separate OU and moved these ISA servers into that.
* Created a AD group called 'Site Admin' and added the users then associated this group to Security filtering of the GPO.
* Linked ISA Servers OU to newly created GPO (User config -> Administrative Templates -> Start Menu&Taskbar with restrictions)
* Added the users to 'Remote desktop users' group of the member servers.
Still the GPO policies are not getting activated. please assist me to resolve.
* I have created a separate OU and moved these ISA servers into that.
* Created a AD group called 'Site Admin' and added the users then associated this group to Security filtering of the GPO.
* Linked ISA Servers OU to newly created GPO (User config -> Administrative Templates -> Start Menu&Taskbar with restrictions)
* Added the users to 'Remote desktop users' group of the member servers.
Still the GPO policies are not getting activated. please assist me to resolve.
ASKER
I configured the above settings in GPO, but still the policies are not getting replicated. pls assist me to resolve the issues..
ASKER
It is working now. Thanks for your valuable comment. You can close the case
Ideally, these should be in their own OU.
Apply the restrictive group policy to your users, or preferrably a group they are members of, and turn on loopback group policy processing.
Then knock yourself out with the policies - tweak them down as tight as you want, but bear in mind if you go too far you may prevent them being able to do anything at all.