Re: authenticate user group on TS loop back cont'd:
- From: "Anthony [MVP]" <anthony@xxxxxxxxxxxx>
- Date: Fri, 21 Mar 2008 11:58:07 -0000
Hi Kristin,
There isn't really one right way, as I think you have found. The policy
applying is a combination of:
- linked to the OU where the user or computer object is
- the object having Read and Apply permissions for the policy, as a member
either of Authenticated Users (=all users and all computers) or of a
specified group
- not Denied
- user configuration applied only to user objects, and computer
configuration applied only to computer objects
- with a special case for loopback; and for password policy.
Then you have all the flexibility according to the logic of what you are
trying to do.
Hope that helps,
Anthony
http://www.airdesk.co.uk
"Kristin Griffin" <kristin.l.griffin@xxxxxxxxx> wrote in message
news:euAaG4siIHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
Anthony,
I am actually just trying to determine the "right" way to do this.
Unfortunately it seems that many ways will work. As a rule, it seems that
leaving the authenticated user groups on GPOs means that you then have to
deny it to anyone that would end up being an authenticated user.
Remember, I am asking this question notw only for GPO s with loopback
enabled, but for other policies I create too. Or any policy for that
matter.
It seems that leaving the authenticated users group on these policies
leaves them wide open or causes more work by then having to deny people or
computers from having them applied, when you could have just specified who
should get what by limiting access to only those for whom policies should
apply via security filtering. Of course, segregating using an OU takes
away half the battle....
for clarification, I have followed the instructions in this article:
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html
except in step 8, I removed "authenticated users". Works just fine.
Do you see what I mean? Seems there is more than one way to skin the cat.
can you help me understand?
Thanks again,
Kristin
"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:eCdXqSsiIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Kristin,
There's something odd going on there. You need the user configuration
section in the policy that has loopback applied. So the computer applies
the policy, and realises that it needs to apply the user configuration
policies to all users in place of their normal user policies.
Although you Can remove Authenticated Users, in normal usage you would
not need to. The whole point of loopback is to say, "Regardless of your
normal policies, when you log on to this computer apply these instead".
You can then Deny it to administrators simply because it makes it hard to
administer the TS otherwise. Who or what are you trying to prevent the
policy applying to by removing Authenticated Users?
Anthony
http://www.airdesk.co.uk
"Kristin Griffin" <kristin.l.griffin@xxxxxxxxx> wrote in message
news:eiU0XmriIHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
Hi guys, thanks for you comments. I am reposting this, so that its
easier to see that I wrote back to you all.
I was not clear before. I have my terminal servers in their own OU.
I have one TS computer policy (with the user policy portion disabled)
and one TS user policy (with the computer policy portion disabled).
I have taken the authenticated user's group off of both and added:
A domain TS computers group to the computer policy
and a domain TS users group to the user policy.
Everything seems to be working as needed. I just want to be working ok.
I just want to be sure I don't need to have authenticated users group in
there for some reason
that I did not take into consideration here.
Thanks again! Kristin
The thread I refer to is copied below:
Do I need to include the Authenticated users group in the security
filtering
of a computer policy GPO for terminal server farm that implements loop
backback processing? Or can I just include the computer group that the
terminal servers are a member of? Thanks!
Kristin
Hi Kristin,
If you remove Authenticated Users, the policies will apply as follows:
- Computer configuration only to to computers in the computer group you
have
added
- User configuration only to users in any user groups you have added.
The most common configuration is to put the terminal servers in their
own
OU, keep Authenticated Users, and add a Deny for people like
administrators
to whom you do not want the User Configuration policies to apply,
Hope that helps,
Anthony
http://www.airdesk.co.uk
Anthony is right. Your best approach is seperating the Terminal Server
into a different OU and apply the loopback policy to it. That makes
things easier.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html
.
- References:
- authenticate user group on TS loop back cont'd:
- From: Kristin Griffin
- Re: authenticate user group on TS loop back cont'd:
- From: Anthony [MVP]
- Re: authenticate user group on TS loop back cont'd:
- From: Kristin Griffin
- authenticate user group on TS loop back cont'd:
- Prev by Date: Re: Authenticated users group on Terminal server Loopback GPO
- Next by Date: Re: Default Homepage Craziness
- Previous by thread: Re: authenticate user group on TS loop back cont'd:
- Next by thread: Default Homepage Craziness
- Index(es):
Relevant Pages
|
