Re: Help - with Policy

From: "Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Sep 2008 20:56:29 +0200

Hi,

Nick schrieb:

I've tried your suggestions below and the policy is not being applied to me
or admins groups which is good but also to the CitrixTerminalServerUserGroup
as advised.

Do you mean it is still not applying?

create a GPO with only Loopback enabled in it.
Link it to the terminalserver OU. Do not touch the security settings.

create a "TS GPO" with all your setting for the TSServergroup.
Edit the security settings:
- remove Auth.USers
- add TS Computer + TSServergroup

You say DENY is always winning could you explain,

No. Their is no explanation. It is a rule, defined by MS.
It ´s everywhere like that even in FileSystem. If you have full access
to a file and you deny read -> deny is winning.
In the end your permissions are a summary of all.

Imagine you are a member of all these groups:

read change full
Group1 x - -
Group2 x x -
Group3 - - -
Group4 x x x
---------------------------
= x x x
Result? You will have Full Access.

Change it like this:

read change full
Group1 deny - -
Group2 x x -
Group3 - - -
Group4 x x x
---------------------------
= deny

Deny is the "winning" setting.

when myself or admin groups neither have ALLOW or DENY
and still being applied.

.... because your Admin is like every account a member of the Auth.Users.
Auth.Users are allowed to read and apply, so youself do not need to
have the permission, another group, where you are a member, has it.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Discuss : www.freelists.org/list/gpupdate
.

Follow-Ups:
- Re: Help - with Policy
  - From: Nick

References:
- Help - with Policy
  - From: Nick
- Re: Help - with Policy
  - From: Mark Heitbrink [MVP]
- Re: Help - with Policy
  - From: Nick

Prev by Date: Re: Help - with Policy
Next by Date: Having trouble with GPO for IE Corporate Settings
Previous by thread: Re: Help - with Policy
Next by thread: Re: Help - with Policy
Index(es):
- Date
- Thread

Relevant Pages

Re: Exclude from GPO ..
... Policy but to create a new GPO linked to the Domain level? ... and deny them the right to read or apply the gpo. ... but for the life of me cannot figure out how to exclude the user accounts ...
(microsoft.public.windows.server.active_directory)
Re: Hide TS drives from users, but not Administrators.
... I took Jeff's suggestion to create a loopback gpo with nothing else in it. ... then created another gpo to deny all users from the servers local drives. ... I want to deny the Domain Admins from applying this policy so I continued ...
(microsoft.public.windows.terminal_services)
Re: Need help with multiple GPOs
... group had a deny in security filtering. ... Once I removed Builtin\Administrators from the security filtering, ... > We are using mandetory profiles for these users. ... >> The system was set up for applying a GPO to a terminal server in OU1 ...
(microsoft.public.win2000.active_directory)
Re: Deny RDP Access
... The setting you describe below is a per user setting but there are a ... If you manage access to your TS boxes by creating a RDU group at the GPO ... You can use Security Policy for that GPO& edit the ... Deny log on thru TS ...
(microsoft.public.windows.terminal_services)
Re: Protecting AD OUs structure against deletion/moves...
... If you start with playing around especially with DENY you will create more problems like preventing this i think. ... I would like to know what is the best practice to protect an AD OU's ... structure against unwanted deletion/moves from domain administrators ... Even applying this security settings to a specific OU ...
(microsoft.public.windows.server.active_directory)