RE: TS User Lockdown

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Graham (Graham_at_discussions.microsoft.com)
Date: 10/25/04 

Date: Mon, 25 Oct 2004 11:23:02 -0700

Hi Patrick,

Thank you very much for the response. I followed your instructions and the
GPO does not apply to the user.

When running the Group Policy Results it lists the GPO under "Denied GPO"
and reason Access Denied (Security Filtering). I have listed Domain Users and
Terminal Server Computers under the security tab. What should be listed under
the Group "Terminal Server Computers" are these the actual TS Servers or
Computers connecting to the TS server?

Just one addition. This TS is a DC as well.

Any suggestions?

Cheers,
Graham

"Patrick Rouse [MVP]" wrote:

> This is what you need to do:
>
> 1. Create an OU called Terminal Servers (or whatever name you choose)
> 2. Move the Terminal Server(s) into this OU.
> 3. Link this OU to your GPO, or create a new one.
> 4. Enable loopback policy processing in the GPO with the Replace Option.
> 5. On the security for the GPO set Apply Policy to "Authenticated Users" or
> "Domain Users" plus the Terminal Server Computer accounts, then set Deny
> Apply Policy to your admin accounts or groups.
> 6. Do NOT move user accounts into this OU.
>
>
> This will apply the GPO only when users logon to a terminal server in this
> OU, and will NOT apply to the people you listed in Deny Apply Policy.
>
>
> "Graham" wrote:
>
> > I am in the process of rolling out a 2003 TS and would like to lock down the
> > desktop and several settings using GPO. I would obviously like to prevent
> > this from happening to the Admin account though.
> >
> > Can anybody please offer some assistance? Additionally, in the security tab
> > for the GPO do I input the list of users to be using the TS and the actual
> > Machine name i.e. this is the tab that where you state which users and/or
> > computer the GPO applies too.
> >
> > Thanks everyone.
> >
> > Cheers,
> > Graham

Relevant Pages

  • Re: Log Off, Disconnect, but no Shutdown
    ... Block Policy Inheritance on the OU. ... Move the Terminal Server Computer Objects into the OU. ... Create a GPO called “TS Machine Policy” linked to the OU ... Check “Disable Computer Configuration settings” on these GPO ...
    (microsoft.public.windows.terminal_services)
  • RE: preventing admins from a TS policy
    ... The basic steps to use a GPO to configure a Terminal Server: ... modify the rights for Administrators on the GPO: ... I think its in another policy as I said before I went nuts tring ...
    (microsoft.public.windows.terminal_services)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... OU to which the loopback GPO is linked, ... So, you have a new OU and a new GPO linked to it, and in this ... is in the computer tree of policy settings. ... > the terminal server as the only thing in it, then set up a new restricted ...
    (microsoft.public.windows.group_policy)
  • RE: GPO settings are not applied
    ... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: Automatic_Updates ... GPO: Default Domain Policy ... Secure Proxy Server: N/A ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO getting applied incorrectly
    ... Darren Mar-Elia posts in there and he knows everything GPO -he'll answer ... The ONLY thing in the "Terminal Server" OU is the Terminal Server's machine account. ... > The "Terminal Server Policy" GPO is the only one I have set up, ... Specifically, where are>> workstations located in OU structure as compared to TermSvrs, and to ...
    (microsoft.public.windows.server.active_directory)