RE: GPO and Terminal Services

From: Patrick Rouse (PatrickRouse_at_discussions.microsoft.com)
Date: 02/09/05 

Date: Tue, 8 Feb 2005 22:33:02 -0800

Make sure the MetaFrame Servers are in their own OU, and that user accounts
are in other OUs. Apply the policy to the OU containing the MetaFrame
Servers, and enable loopback policy processing (a setting in the Group
Policy) with the replace option. Filter the Policy so it applies to all 5
computer objects (or create a group in this OU that contains the MetaFrame
Server computer objects), authenticated users, but deny apply policy to
Domain Admins.

This will enforce the policy when users logon to these servers, but not when
they logon to other domain member computers.

http://www.workthin.com/tshta.htm#ConfigureTerminalServicesConnections

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com

"Dave Stapf" wrote:

> I have a network that contains 2 DC, 1 F/P Server, 5 Terminal Servers running
> Citrix XP, all servers are running Windows 2003 Standard Server OS. The
> Citrix servers are configured in a load balance farm. I have created some
> Group Policies to lock down the user terminal services enviroment (such as
> not allowing the users to change anything with the desktop). My problem is
> very strange in that when my users login to the Citrix farm the Group
> Policies work correctly on 4 of the Citrix servers but 1 does not apply the
> policy. The Policy is a User Policy and my understanding is that the policy
> should be applied regardless of the computer/server. The Citrix servers are
> all configured the same and are all members of the domain. Any ideas on how
> to troubleshoot or ideas on what might be causing the problem would be
> greatly appreciated.
>
> --
> Dave Stapf

Relevant Pages

  • Re: GP being filtered?
    ... As you can tell from the policy name that it is intended to be applied to ... my Citrix servers so I have it linked to an OU that contains my Citrix ... servers and the Security Filtering is applied to my AD group of Citrix ...
    (microsoft.public.windows.group_policy)
  • Re: Account Lockout threshold
    ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ...
    (microsoft.public.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.security)
Loading