Re: authenticate user group on TS loop back cont'd:

Anthony,

I am actually just trying to determine the "right" way to do this.
Unfortunately it seems that many ways will work. As a rule, it seems that
leaving the authenticated user groups on GPOs means that you then have to
deny it to anyone that would end up being an authenticated user. Remember,
I am asking this question notw only for GPO s with loopback enabled, but for
other policies I create too. Or any policy for that matter.

It seems that leaving the authenticated users group on these policies leaves
them wide open or causes more work by then having to deny people or
computers from having them applied, when you could have just specified who
should get what by limiting access to only those for whom policies should
apply via security filtering. Of course, segregating using an OU takes away
half the battle....

for clarification, I have followed the instructions in this article:
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html
except in step 8, I removed "authenticated users". Works just fine.

Do you see what I mean? Seems there is more than one way to skin the cat.
can you help me understand?

Thanks again,

Kristin




"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:eCdXqSsiIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Kristin,
There's something odd going on there. You need the user configuration
section in the policy that has loopback applied. So the computer applies
the policy, and realises that it needs to apply the user configuration
policies to all users in place of their normal user policies.
Although you Can remove Authenticated Users, in normal usage you would not
need to. The whole point of loopback is to say, "Regardless of your normal
policies, when you log on to this computer apply these instead". You can
then Deny it to administrators simply because it makes it hard to
administer the TS otherwise. Who or what are you trying to prevent the
policy applying to by removing Authenticated Users?
Anthony
http://www.airdesk.co.uk





"Kristin Griffin" <kristin.l.griffin@xxxxxxxxx> wrote in message
news:eiU0XmriIHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
Hi guys, thanks for you comments. I am reposting this, so that its
easier to see that I wrote back to you all.

I was not clear before. I have my terminal servers in their own OU.
I have one TS computer policy (with the user policy portion disabled)
and one TS user policy (with the computer policy portion disabled).
I have taken the authenticated user's group off of both and added:
A domain TS computers group to the computer policy
and a domain TS users group to the user policy.
Everything seems to be working as needed. I just want to be working ok.
I just want to be sure I don't need to have authenticated users group in
there for some reason
that I did not take into consideration here.

Thanks again! Kristin

The thread I refer to is copied below:

Do I need to include the Authenticated users group in the security
filtering
of a computer policy GPO for terminal server farm that implements loop
backback processing? Or can I just include the computer group that the
terminal servers are a member of? Thanks!

Kristin

Hi Kristin,
If you remove Authenticated Users, the policies will apply as follows:
- Computer configuration only to to computers in the computer group you
have
added
- User configuration only to users in any user groups you have added.
The most common configuration is to put the terminal servers in their own
OU, keep Authenticated Users, and add a Deny for people like
administrators
to whom you do not want the User Configuration policies to apply,
Hope that helps,
Anthony
http://www.airdesk.co.uk


Anthony is right. Your best approach is seperating the Terminal Server
into a different OU and apply the loopback policy to it. That makes
things easier.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html








.

Relevant Pages

  • Re: authenticate user group on TS loop back contd:
    ... the object having Read and Apply permissions for the policy, ... It seems that leaving the authenticated users group on these policies ...
    (microsoft.public.windows.group_policy)
  • GPO only for admins
    ... Actually I have some policies in may domain with a hight level of ... would like to create a new policy only for administrator for deny some ... The Default Policy Domain has "Authenticated users" and the ...
    (microsoft.public.win2000.group_policy)
  • Re: Computer setting filtered by user group
    ... authenticated users group from apply. ... authenticated users group and when you remove that group it no longer ... > I am trying to filter a policy by a particular group, ... I change the policy to apply to authenticated users it works. ...
    (microsoft.public.win2000.group_policy)
  • Re: GPMC Results wizard help!
    ... Policies check out as being OK and to see if that policy shows up. ... change permissions to what it should be. ... apply permission as it may be "filtered" if not for authenticated users so ...
    (microsoft.public.windows.group_policy)
  • RE: Remote Workplace
    ... The error "The local policy of this system does not permit you to log on ... This policy setting also applies to the Domain Power Users group because ... newsgroups so that they can be resolved in an efficient and timely manner. ...
    (microsoft.public.windows.server.sbs)