Re: Loopback Processing and Deny Apply in ACL

From: Anthony Yates (anthonyDINGyates_at_airDONGdesk.com)
Date: 11/12/04 

Date: Fri, 12 Nov 2004 16:01:36 -0000

Do you mean that the policy is still being actively applied, or that the
policy setting has not been reversed? Most policies are Not Configured by
default. If you Apply the policy to a user (with the loopback) then Deny it,
you do not end up back at the default setting, you stay on the last one that
was configured. Try deleting the user's terminal services profile and
recreating it.
We Deny the loopback policy to the people administering the terminal
servers, and it works fine.
Anthony

"Brian Higgins" <brian@NOSPAMaccentconsulting.com> wrote in message
news:%23yAb1cMyEHA.2572@tk2msftngp13.phx.gbl...
> I have a 2003 terminal server on a 2003 domain, I have configured my
GPO
> for the terminal server (which is in it's own OU, and enabled loopback
> processing in replace mode. everything works exactly as I would like, for
> the users, but there is a software developer that needs full,
un-restricted
> access (he does not get domain wide, just local, admin access) to this
> server to maintain and update some custom software running on the server.
>
> I have followed the steps in Q315675 and applied the same principal of
> setting the deny apply gpo setting in the acl to the user account of this
> developer (actually a security group that he is a member of), I waited for
> plenty of time for the group membership and the ACL to propigate, I then
ran
> gpupdate /force on both the machine I was running the RSOP (planning mode)
> and on the terminal server (for when running RSOP in logging mode) and
both
> RSOP datasets show that the user gpo is still applying to the user who is
> listed in the ACL with a deny entry in the apply setting.
>
> What am I missing in regards to allowing this (and any other user in
the
> future) the ability to logon to the terminal server without getting locked
> down by my terminal restrictions gpo?
>
> Any help here would be apprecieated.
>
> Thanks.
> - Brian
>
>

Relevant Pages

  • Re: Loopback Processing and Deny Apply in ACL
    ... The actual group policy is being applied to the user logon, ... If you Apply the policy to a user then Deny ... >> for the terminal server (which is in it's own OU, ... >> setting the deny apply gpo setting in the acl to the user account of this ...
    (microsoft.public.win2000.group_policy)
  • Re: Group POlicy not being applied to groups in OU
    ... I realise that technically GPO should be applied to a container. ... The situation is that I have a terminal server ... users into a container and apply a policy - it works, ... > Deny permissions override allow permissions. ...
    (microsoft.public.windows.group_policy)
  • Re: Prevent users from launching tsadmin.exe?
    ... I wouldn't add a "Deny" ACL, I would add an ACL which ensures that ... Keep in mind that a "Deny" rule overrides ... MCSE, CCEA, Microsoft MVP - Terminal Server ... TS troubleshooting: http://ts.veranoest.net ...
    (microsoft.public.windows.terminal_services)
  • Re: Lock down a Terminal Service server
    ... so long as you give Deny "Apply Group Policy" on the ACL of the policy. ... Normal users will be logging onto a Terminal Server in its own OU. ... In the Group Policy tab of Active Directory Users and Computers highlight ...
    (microsoft.public.windows.terminal_services)
  • Re: How to exclude from group policy
    ... solution) or you could use the ACL on the policy itself to Deny Read & Apply ... Policy to those computer accounts. ... How can I exclude servers from this policy? ...
    (microsoft.public.win2000.group_policy)
Loading