Applying User Configuration policies to non-administrators on Win2K3
- From: "Troy Dolyniuk" <troy@xxxxxxxxxxxxxxxx>
- Date: 16 Nov 2005 07:25:58 -0800
Hello,
I am experiencing a problem in applying group policies that makes no
sense to me whatsoever. Ultimately, what I'm trying to do is apply a
set of User Configuration GPO's that restrict access using loopback
configuration for when a user logs on to our Windows Server 2003
Terminal Server. This didn't work, so I came up with a test scenario
(remove the user's name from the Start menu) which is quick and easy
to check.
I created a test OU with three machines: Windows XP SP2, Windows Server
2003, Windows Server 2003 SP1. As per documentation I've read, I set
up the loopback processing as follows: one GPO enabling the Computer
Configuration policy "User Group Policy loopback processing mode"
with the mode set to Replace, and one GPO enabling the User
Configuration policy "Remove user name from Start Menu". I
performed a gpupdate /force on all the systems and rebooted. The
results were very peculiar.
On the WinXP box, when an administrator logs on, the user's name is
removed from the Start Menu. When a regular user logs on, the name is
gone again. When a regular user that has been placed in the Remote
Desktop Users group logs in via Remote Desktop, again the name is gone.
Windows XP tested perfectly.
On both Win2K3 boxes, however, things did not work perfectly. When I
logged in as the domain Administrator, the name was gone from the Start
Menu. When I logged on as a regular user in the Remote Desktop Users
group (both directly on the console and via Remote Desktop), however,
the name was there! I put the user in the local administrators group,
and then the name disappeared as it should. Remove him from local
admins, and the name is back again.
Looking at the output of gpresult /v showed the group policies were
indeed being applied. Running the scenario through the Group Policy
Modelling Wizard in the GPMC also indicated that the policy should be
applied.
I've read on many forums and even in Microsoft KB articles that using
group policy in loopback mode to restrict users while logged into
Terminal Servers is a good thing. Surely it is not expected that these
users must be granted local Administrator privileges on the TS box just
so that they can be locked down via Group Policy on Windows Server
2003; that just seems counterproductive! :)
Has anybody else experience this and prevailed? Does anybody have any
suggestions to offer? I've spent far too much time on this problem,
but it does have to be resolved.
Thank you very much for your time!
-Troy
P.S. If possible, please reply to the newsgroup so that all may
benefit.
.
- Follow-Ups:
- Re: Applying User Configuration policies to non-administrators on Win2K3
- From: Steven L Umbach
- Re: Applying User Configuration policies to non-administrators on Win2K3
- Prev by Date: Re: block or reverse policies as the machine's local administratror
- Next by Date: Re: Multiple GPOs for WSUS
- Previous by thread: RSoP.msc not showing User Rights Assignment (vs. GPEdit.msc)
- Next by thread: Re: Applying User Configuration policies to non-administrators on Win2K3
- Index(es):
Relevant Pages
|
