Re: Loopback processing with DC and Terminal Server
From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 04/23/04
- Next message: metsalam: "Custom ADM-file"
- Previous message: Greg Wake: "Loopback processing with DC and Terminal Server"
- In reply to: Greg Wake: "Loopback processing with DC and Terminal Server"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 22 Apr 2004 18:18:00 -0700
greg.wake@alphawest.com.au (Greg Wake) said
> I hope someone has some words of wisdom to help me out.......
>
> Scenario: Windows 2003 SBS Server and Windows 2003 Server (Standard).
> The 2003 SBS Server is the DC, File&Print, E-Mail, etc. The 2003
> Server is running terminal services. Users are running on XP
> workstations and require access to both their workstation apps, as
> well as apps located on the terminal server. There is no single group
> of users who only use terminal services.
>
> I've implemented group policies (Windows 2003 SBS is the DC). I have
> a policy for terminal services which locks down users in a terminal
> services session so that they only have access to the apps required.
> It is well locked down!
>
> Without loopback processing enabled on the client, the terminal
> services policy is enforced on the XP workstation and doesn't allow
> the user to access pretty much anything on their PC.
>
> I've enabled loopback processing, firstly with "Merge". This did not
> appear to give me what I expected (A combination of both local policy
> and group policy). I changed this to "Replace" and this appears to
> work well, however, any alterations to the group policies does not get
> reflected on the client.
>
> There must be a better way of doing this. The problem I have all
> stems to the fact that users are both workstation and terminal service
> users. Therefore they reside in the same OU. I do not want to create
> 2 accounts for each person - 1 for workstation logon and another for
> Terminal Services (This would allow me to create Terminal Services
> users in a seperate OU and apply my terminal services lockdown policy
> to that OU.)
>
> Is there something better than loopback processing that will let me
> fix this?
>
Loopback is what you are after, but the way you are implementing it is
incorrect for what you are trying to acheive. It sounds like you have a
normal GPO for the terminal servers and loopback for the users, when you
should be doing it the other way around.
What you need to do is place the Terminal Sevices severs in their own OU
and apply the locked down Loopback GPO to that OU only. That way any user
logging into TS will have the User portion of the GPO applied on the TS
session, even though you have specified it for an OU that contains computer
accounts.
Logging into their own PC's will not cause the GPO to be applied as their
computer accounts do not reside in the OU.
> Incidentally, if anyone knows how to enable loopback processing from
> with group policy I would be most grateful. Modifying local policies
> on the client rather than using group policy is time consuming and
> annoying.
>
When you create the GPO in the Terminal Services OU, browse to
Administrative Templates/System/Group Policy then enable the Loopback
Policy
-- Andy
- Next message: metsalam: "Custom ADM-file"
- Previous message: Greg Wake: "Loopback processing with DC and Terminal Server"
- In reply to: Greg Wake: "Loopback processing with DC and Terminal Server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
