Re: TS 2003 Restrict application usage by group

Tech-Archive recommends: Speed Up your PC by fixing your registry

Wow,
Thanks for holding my hand here. I have several more questions if you
have the time.

>> Vera,
> >Thanks for the response, I am now deciding whether to use your
> >method, or to define custom software restriction policies by gpo
> >assigned to individual groups. I must confess that your method
> >looks considerably less involved.


>It's really not a "one method versus the other" question. Software
>restriction is a very elegant and powerful method to enforce
>restrictions on what users are allowed to run, but it doesn't take
>care of the customized desktop part.

In this case couldn't you just create a local user, log in as that
user, customize a desktop environment with all changes desired
(subfolders, ntfs rights etc...) and copy it to the default user
desktop folder. I am wondering if creating GPOs for desktop redirection
is more work than is necessary?

>> Questions on enabling loopback processing.

> >1. If there are no gpos linked to the terminal svcs OU that my
> >TS servers are installed in, and the default domain gpo contains
> >no user or computer settings - all are done at user or computer
>> OU levels. Is loopback processing still necessary, or wouldn't
> >blocking inheritance of any higher-level gpo's do the trick?

>The point is that you want the custom desktops only when users
>logon to the TS, not when they logon to their workstation, correct?
>If so, then you *must* link the GPOs with the redirected desktops
>to the OU which contains the Terminal Server. And then you must use
>loppback processing.

Still confused here. If the user and computer objects are located in
separate OUs than the TS OU, then I am at a loss as to why a GPO with
folder redirection that's only applied to the TS OU would affect users
at any other time than when they log into the TS. Thus why is loopback
processing necessary on the TS GPO?


>> 2. Must loopback processing be enabled because of user settings
>> that may be applied from the OU that contains the user object?


>Loopback processing is needed when you want to use certain user
>settings when users log on to a certain computer (i.e. a TS),
>irrespective of where the user account is located and which GPOs
>are linked to the OU which contains the user accounts.

Again, if there is a GPO applied to the TS OU, wouldn't it by default,
process changes as the user logs into a TS session? Is there a need for
loopback processing to be enabled if you have no user settings from
another GPO linked at another OU being applied?

>> 3. Do settings linked to the OU that contains the user's
>> computer object apply to the terminal services session, or are
>> they only applicable to login on the local workstation?


>This is explain in the MS article 231287, but I'll try to reword
>it:
>under normal conditions, when users logon they are affected by
>a) the computer settings from the GPO which is linked to the OU
>which contains their computer account (either workstation or TS)
>b) the user settings from the GPO which is linked to the OU that
>contains the user account (irrespective of the computer they logon
>to)

>So if you enforce restrictions in the user settings of a GPO linked
>to the user account OU, it will restrict them always, everywhere
>(both workststation and TS logon). That is normally not what you
>want to achieve. And that's why you want to use loopback processing
>in the GPOs linke to the TS OU.

I guess that this is what I'm getting to. If there are restrictions
applied via GPO at user and computer OUs, and another set of more
restrictive user and/or computer settings applied via GPO at the TS OU,
won't the most restrictive version of the changes be applied?

Please forgive the lengthy dialogue, I have done a lot of reading on
loopback processing, and am still unclear as to why it's necessary if
your gpos are applied at different OUS.
Thanks,
Ryan

.

Relevant Pages

  • Re: cant override screen saver policy
    ... Yes, I figured out that using loopback processing was the answer (Ok, I ... > Settings in the User Configuration part of a GPO always apply to User ... > users log on to specific computers, then enable Loopback processing in a GPO ...
    (microsoft.public.win2000.group_policy)
  • Re: TS 2003 Restrict application usage by group
    ... or to define custom software restriction policies by gpo ... Is loopback processing still necessary, ... Must loopback processing be enabled because of user settings ... irrespective of where the user account is located and which GPOs ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Locking down TS on Domain Controller...
    ... User config settings apply to users. ... I would like to lock down the Terminal Server experience for those ... Everything (minus the TS Lockdown GPO) is working. ... and I log on to that using the user account object of one of the five TS ...
    (microsoft.public.windows.terminal_services)
  • Re: cant override screen saver policy
    ... > Yes, I figured out that using loopback processing was the answer (Ok, I ... >> Settings in the User Configuration part of a GPO always apply to User ... >> Accounts, not Computer Accounts, so any User Configuration settings you want ...
    (microsoft.public.win2000.group_policy)
  • Re: Apply group policy to selected computers
    ... loopback processing in GPO Computer Configuration>Administrative ... Templates>System>Group Policy> User Group Policy Loopback Processing Mode ... and this will override all other group policies with conflicting settings). ...
    (microsoft.public.windows.server.active_directory)