Re: TS 2003 Restrict application usage by group
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 05 Nov 2005 03:46:50 -0800
Folder redirection is a User Configuration. If defined in a GPO
which is linked to the TS OU, folders will *never* be redirected,
unless you use loopback processing.
And about your Default user profile approach: I thought that you
wanted to enforce different application restrictions for different
user groups? You can have only one Default User profile. It
wouldn't enforce anything either.
Ryan, I think that more explaining and reading isn't going to help
you. Create some OUs and GPOs, and see for yourself what happens.
That's often the moment when you suddenly see the light :-)
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"musicman" <ryantracy@xxxxxxxxxxxx> wrote on 04 nov 2005 in
microsoft.public.win2000.termserv.apps:
> Wow,
> Thanks for holding my hand here. I have several more questions
> if you have the time.
>
>>> Vera,
>> >Thanks for the response, I am now deciding whether to use your
>> >method, or to define custom software restriction policies by
>> >gpo assigned to individual groups. I must confess that your
>> >method looks considerably less involved.
>
>
>>It's really not a "one method versus the other" question.
>>Software restriction is a very elegant and powerful method to
>>enforce restrictions on what users are allowed to run, but it
>>doesn't take care of the customized desktop part.
>
> In this case couldn't you just create a local user, log in as
> that user, customize a desktop environment with all changes
> desired (subfolders, ntfs rights etc...) and copy it to the
> default user desktop folder. I am wondering if creating GPOs for
> desktop redirection is more work than is necessary?
>
>>> Questions on enabling loopback processing.
>
>> >1. If there are no gpos linked to the terminal svcs OU that my
>> >TS servers are installed in, and the default domain gpo
>> >contains no user or computer settings - all are done at user
>> >or computer
>>> OU levels. Is loopback processing still necessary, or wouldn't
>> >blocking inheritance of any higher-level gpo's do the trick?
>
>>The point is that you want the custom desktops only when users
>>logon to the TS, not when they logon to their workstation,
>>correct? If so, then you *must* link the GPOs with the
>>redirected desktops to the OU which contains the Terminal
>>Server. And then you must use loppback processing.
>
> Still confused here. If the user and computer objects are
> located in separate OUs than the TS OU, then I am at a loss as
> to why a GPO with folder redirection that's only applied to the
> TS OU would affect users at any other time than when they log
> into the TS. Thus why is loopback processing necessary on the TS
> GPO?
>
>
>>> 2. Must loopback processing be enabled because of user
>>> settings that may be applied from the OU that contains the
>>> user object?
>
>
>>Loopback processing is needed when you want to use certain user
>>settings when users log on to a certain computer (i.e. a TS),
>>irrespective of where the user account is located and which GPOs
>>are linked to the OU which contains the user accounts.
>
> Again, if there is a GPO applied to the TS OU, wouldn't it by
> default, process changes as the user logs into a TS session? Is
> there a need for loopback processing to be enabled if you have
> no user settings from another GPO linked at another OU being
> applied?
>
>>> 3. Do settings linked to the OU that contains the user's
>>> computer object apply to the terminal services session, or are
>>> they only applicable to login on the local workstation?
>
>
>>This is explain in the MS article 231287, but I'll try to reword
>>it:
>>under normal conditions, when users logon they are affected by
>>a) the computer settings from the GPO which is linked to the OU
>>which contains their computer account (either workstation or TS)
>>b) the user settings from the GPO which is linked to the OU that
>>contains the user account (irrespective of the computer they
>>logon to)
>
>>So if you enforce restrictions in the user settings of a GPO
>>linked to the user account OU, it will restrict them always,
>>everywhere (both workststation and TS logon). That is normally
>>not what you want to achieve. And that's why you want to use
>>loopback processing in the GPOs linke to the TS OU.
>
> I guess that this is what I'm getting to. If there are
> restrictions applied via GPO at user and computer OUs, and
> another set of more restrictive user and/or computer settings
> applied via GPO at the TS OU, won't the most restrictive version
> of the changes be applied?
>
> Please forgive the lengthy dialogue, I have done a lot of
> reading on loopback processing, and am still unclear as to why
> it's necessary if your gpos are applied at different OUS.
> Thanks,
> Ryan
.
- Follow-Ups:
- Re: TS 2003 Restrict application usage by group
- From: musicman
- Re: TS 2003 Restrict application usage by group
- References:
- TS 2003 Restrict application usage by group
- From: musicman
- Re: TS 2003 Restrict application usage by group
- From: Vera Noest [MVP]
- Re: TS 2003 Restrict application usage by group
- From: musicman
- Re: TS 2003 Restrict application usage by group
- From: Vera Noest [MVP]
- Re: TS 2003 Restrict application usage by group
- From: musicman
- TS 2003 Restrict application usage by group
- Prev by Date: Re: Terminal server remote printing issue for application
- Next by Date: Re: TS 2003 Restrict application usage by group
- Previous by thread: Re: TS 2003 Restrict application usage by group
- Next by thread: Re: TS 2003 Restrict application usage by group
- Index(es):
Relevant Pages
|
