Solved

Create Group Policy for users that are not part of the domain

Posted on 2014-04-03
22
290 Views
Last Modified: 2014-04-30
I need to create a group policy to restrict and assign some security to few users who are not part of my domain.

I have few vendors who will need to have access to one software on my network and that's it , I don't want to create new users to be part of my whole environment but just to a remote desktop computer (server 2003) terminal server.

I created a test user locally to the server, so far I can log into the remote desktop by using the name of the computer and not the name of my domain, so that's good. now I would like to restrict this account from seeing local drives, and other things like that that I already setup under Group Policy Management , the problem is that I don't see where to add my local users to the policies; it seems that the policy can only be created for my forest/domain

How can I add local users to my policies or how can I create policies for local users only.
Thanks
0
Comment
Question by:taverny
22 Comments
 
LVL 16

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 50 total points
ID: 39976344
Create local User on the computer
To open the Local Group Policy Editor from the command line

•Click Start , type gpedit.msc in the Start Search box, and then press ENTER .

To open the Local Group Policy Editor as an MMC snap-in

1.Open MMC. (Click Start , click in the Start Search box, type mmc , and then press ENTER .)

2.On the File menu, click Add/Remove Snap-in .

3.In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor , and then click Add .

4.In the Select Group Policy Object dialog box, click Browse .

5.Click This computer to edit the Local Group Policy object, or click Users to edit Administrator, Non-Administrator, or per-user Local Group Policy objects.

6.Click Finish .

Go to the policy that you want to allow user access to
0
 
LVL 9

Expert Comment

by:discgman
ID: 39976346
You can use gpedit.msc to edit local group policy.

http://technet.microsoft.com/en-us/library/cc787064(v=ws.10).aspx
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39976431
Just put server in one OU in active directory and then do whatever restriction settings you wanted in one GPO and apply it to that OU

In same GPO enable GPO loop back processing mode in replace mode at below path

Computer configuration\administrative templates\system\group policy

Now no matter who will logon to computer (Local terminal server user OR domain user) restrictions will be applied to all users

The benefit of above setting is local users cannot change the applied policy and if they tried to change the policy, domain level policy won't allow that due to loop back processing enabled

Hope that helps

Mahesh.
0
 

Author Comment

by:taverny
ID: 39976557
Thank you for your responses.

giveandtake638, I was able to modify one object and it did apply to all my local users, but how do I restrict that to only few local users? I don't see where I can choose my users.

Mahesh, I did like your option but that didn't work as an OU, I already had my server under an OU called Terminal Servers. But I couldn't add an OU under the security filtering of Group Policy Management, so I created an universal security group and added my server in it. Then I was able to add it to my GP Object but nothing happens to my user logging in. The policy doesn't seem to work.   Anything you might think of?

Thanks
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39976593
You don't have to create extra OU if you already have

Why you are using security filtering, do you have multiple terminal servers in the OU ?

All you need to do is to apply the GPO with loop back processing mode enabled to OU containing terminal server and then allow users to logon

may be you can try below
On the terminal servers OU ensure that affected terminal server is within that OU
Then add GPO on terminal servers OU with loop back processing mode enabled with replace mode and then add required terminal server object in security filtering

I think you have done similar way hopefully

Please check if its working on domain users 1st and if yes then check with local users

Mahesh.
0
 

Author Comment

by:taverny
ID: 39976654
Mahesh,

I couldn't add the OU to the GPO , so that's why I created a security group.

under Group Policy Management , this is where I am adding the group , am I doing it wrong? see the attached snapshot of the screen.
Thanks
Capture123.PNG
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39976671
You are not doing any wrong

Only when authenticated users are there the policy will apply to all servers in the terminal servers OU
Hence remove authenticated users from security filtering so that policy will be applied to only other group listed there in security filtering (I guess it is the group which contains terminal server object
Just ensure that terminal server is remains within the terminal servers OU
Then just run gpupdate /force on domain controller and on terminal server as well

Just wondering have you enabled group policy processing mode in replace mode in same GPO or not otherwise GPO will fail

Mahesh.
0
 

Author Comment

by:taverny
ID: 39976714
Mahesh,

sorry I was wrong regarding the OU. So far I have the OU called Terminal Servers with each of my group policy under that, and this has been working fine for years the way I had it for my domain users, now I just want to add my local users to it as well.

so what I did as you can see is create a security group under my active directory and added the name of my remote desktop computer , then I added this security group under the security filtering under each policy. and yes the loopback policy is enabled properly.

I did GPupdate like mentioned and still nothing .
I am sure it's something stupid that I am missing , could it be on the user side that I messed up something?

This is how I setup my users:
1- go to computer Management
2- click on Local Users and Groups> then Users
3- Create the Users
4- under group , we need to add the created users to the Remote desktop Users Group
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39976742
Oh, its not my meaning

You don't have to add remote desktop computers in security filtering

The GPO should be applied to terminal server only

Let me know if affected terminal server is within that OU ? if not please move it there 1st

Then just remove that group and authenticated users from there and add only terminal server account in security filtering

Then run gpupdate /force on DC and terminal server \ may be you can reboot terminal server once and check if it works please
0
 

Author Comment

by:taverny
ID: 39976755
Yes the OU has the terminal server and also the security group that I created which has also the server in it. see below

PSHRDP1 is the name of my terminal server.

When you say:"add only terminal server account in security filtering" , you mean the name of the server? or the names of my users?
0
 

Author Comment

by:taverny
ID: 39976759
here is the attachement
Capture333.PNG
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39976768
I mean terminal server computer account only
0
 

Author Comment

by:taverny
ID: 39976780
sorry if I don't get it , you mean the name of the computer: "PSHRDP1"
I just did that and still nothing after the update.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39976796
Ok

if its not working with local user accounts in terminal server, then you need to use domain accounts and check if its working
0
 

Author Comment

by:taverny
ID: 39976799
maybe it applies only to the users authenticated with the domain? and not local users.
0
 

Author Comment

by:taverny
ID: 39976801
domain account are working, only the local accounts are not working
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39977417
Yes, you are right
Local accounts are logging on to local system hence domain polices won't enforced on those accounts

Hence its advisable to create standard domain user accounts and grant them RDP rights on terminal server with restricted rights

Mahesh.
0
 

Author Comment

by:taverny
ID: 39978410
The purpose of creating local accounts was for me not to have to buy extra license for the domain. Today it's only 10 licenses but in few month I will have to add quiet a few more.

So far this is what I got:

-The group policy management can only apply settings to domain users.

-The Group Policy Object Editor applies settings to DOMAIN USERS and also LOCAL USERS, but where I am stuck is how can I control from the GPO editor to apply to local specific users?

If someone can help me with that then the question is answered.

Thanks
0
 

Author Comment

by:taverny
ID: 39978429
I just thought about something. Do you think I can setup all the policies by running a logon script?
If so how do I do that?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39978672
If you can share what policies \ settings are you looking for we can help
0
 

Author Comment

by:taverny
ID: 39978683
ok , let's start with one for now , then I can maybe figure it out:
"remove run menu from start menu"
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 450 total points
ID: 39978962
Ok
I have tested in My lab your scenario
Settings not applying on local users

Now coming to license point of view

No matter you logged on terminal server with local accounts \domain accounts you have to purchase standard server CALs and RDS (terminal) CALs

Now if you are using only few common local user accounts for logging on to terminal server with RDP (I mean if you are giving same account to multiple users) from multiple devices then your thinking is technically perfectly right, however same thing can be applicable to domain users as well if you allow single account to be used by multiple physical users.
Also with local users, you will not get active directory and GPO benefits

However if you are creating local user accounts equal to your physical users (1 local user \ per physical user), then you would require that much of standard server CALs and RDP CALs because according to me Microsoft defined that accessing server software through user or device (Computer) would require either one user or one device CAL
What I mean local user licenses are not free.
http://www.microsoft.com/en-in/licensing/about-licensing/client-access-license.aspx

Hence its better to use domain user accounts for accessing terminal servers which gives you better control and restricted environment to user

Now coming to last point, by using logon scripts on local users, you need to define those in gpedit.msc on terminal server and then it will be getting applied to all users and logon scripts would be pretty complicated as for most of the policy settings you would required to toggle various registry values

hence I request you to go with domain accounts only honestly

Mahesh.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Let’s list some of the technologies that enable smooth teleworking. 
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now