Re: Hide TS drives from users, but not Administrators.

Jeff and Gregg:

I took Jeff's suggestion to create a loopback gpo with nothing else in it. I
then created another gpo to deny all users from the servers local drives. I
then linked them both to the Domain Controllers OU and this works fine.
Remember, I've only one machine, so the PDC and the TS are one in the same
(if this matters).

I'm now moving onto the next step to create my Terminal Services gpo's.

I want all users to connect to the TS and run one application via the:
"Computer Configuration\Administrative Templates\Windows Components\Terminal
Services\Start a program on connection" policy.

I want to deny the Domain Admins from applying this policy so I continued
with the suggestion from Gregg to deny the Domain Admins from this "Apply
Group Policy" just like I successfully have done with the drives.

Even though I deny the Domain Admin from applying the GPO, it seems to be
ignored. Is this because the gpo is a TS policy? If so, how can I have one
group run an application upon start up, but not apply this to the Domain
Admins?

Thanks!
--
Bob


"Jeff Pitsch" wrote:

> the best way to do it is to one GPO that only has computer settings (enabled
> loopback processing here) enabled. the create a second GPO and attach that
> to the same OU and that one has your user settings. filter the User GPO as
> needed. All loopback processing does is change which User settings get
> applied. By default user settings are applied from the OU where the user
> account resides. Loopback processing says 'no, apply the USER settings
> attached to this OU instead if someone logs into this computer' (or merge
> the two depending on which loopback processing option is enabled).
>
> I think the issue is becoming very muddled at this point.
>
> Jeff Pitsch
> http://www.sbcgatekeeper.com
> Your Terminal Services Security Website
>
>
> "Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
> news:uX4PY0IEGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
> > If you read that site carefully, you will notice that he has applied his
> > policy to USERS, instead of to the Terminal Server itself. He has created
> > a more work for himself by doing it that way.
> >
> > Follow the Microsoft recommendation and create an OU for Terminal Servers,
> > apply your GPO to that OU, deny the Admins from applying the policy, sit
> > back and enjoy life.
> >
> > Gregg Hill
> >
> >
> > "Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:2A8779CC-E393-4E56-BED8-97C56F74E4AF@xxxxxxxxxxxxxxxx
> >> Okay, now I get it. I found this step by step web site that spelled it
> >> out
> >> even more. Thanks!
> >>
> >> http://www.serverwatch.com/tutorials/article.php/1497881
> >>
> >> --
> >> Bob
> >>
> >>
> >> "Gregg Hill" wrote:
> >>
> >>> Open the TS group policy you created, right-click the policy, click
> >>> Properties. For the Apply Group Policy setting, click Deny for the
> >>> Domain
> >>> Admin and Enterprise Admin groups. Run gpupdate /force a couple times on
> >>> the
> >>> server.
> >>>
> >>> Gregg Hill
> >>>
> >>>
> >>>
> >>> "Bob" <Bob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >>> news:58BCEB6A-C82C-4B50-A25C-35B82D7CF43D@xxxxxxxxxxxxxxxx
> >>> > Hi Gregg,
> >>> >
> >>> > Thanks for the encouraging news, but I am still missing something.
> >>> >
> >>> > By applying the loopback policy to the Domain Controller, I can see
> >>> > how
> >>> > the
> >>> > TS users will have this loopback policy applied as they are logging
> >>> > onto
> >>> > the
> >>> > Domain Controller machine.
> >>> >
> >>> > I can see when this same user logs onto a workstation, the loopback
> >>> > policy
> >>> > will not apply as they are NOT logging onto the Domain Controller
> >>> > machine.
> >>> >
> >>> > I understand that the loopback policy is the LAST POLICY to be applied
> >>> > and
> >>> > therefore will take precedence.
> >>> >
> >>> > I don't' understand how you exclude any user or group (least of all
> >>> > the
> >>> > Administrators group) from this loopback policy when logging on to the
> >>> > Domain
> >>> > Controller machine.
> >>> >
> >>> > To be clear: I'm talking about the "User Group Policy loopback
> >>> > processing
> >>> > mode" found in the "Computer Configuration\Administrative
> >>> > Templates\System\Group Policy".
> >>> >
> >>> > In my case, I'm enabling "Hide these specified drives in My Computer"
> >>> > and
> >>> > "Prevent access to drives from My Computer" within this same loopback
> >>> > policy.
> >>> >
> >>> > The result is the Domain User is excluded from the Drives on the
> >>> > Domain
> >>> > Controller (or TS machine) whenever they TS into it. This same user
> >>> > is
> >>> > not
> >>> > excluded (from their local drives) when they log onto a workstation.
> >>> > This
> >>> > is
> >>> > all well and good, but the problem is when an account in the Domain
> >>> > Admins
> >>> > group logs onto the Domain Controller machine (either through TS or
> >>> > locally),
> >>> > they are denied access to the Domain Controllers drives.
> >>> >
> >>> > Thanks for your help!
> >>> > --
> >>> > Bob
> >>> >
> >>> >
> >>> > "Gregg Hill" wrote:
> >>> >
> >>> >> Actually, it works perfectly with a loopback policy. I have set up
> >>> >> several
> >>> >> 2003 and 2003 domain controllers as terminal servers (against my
> >>> >> recommendations, but that's what they wanted).
> >>> >>
> >>> >> I set up an extremely tight desktop and deny the admins from getting
> >>> >> the
> >>> >> GPO
> >>> >> applied. The domain users log onto their desktops normally, but are
> >>> >> locked
> >>> >> down if they TS into the server. Administrators are not locked down
> >>> >> either
> >>> >> way.
> >>> >>
> >>> >> Gregg Hill
> >>> >>
> >>> >>
> >>> >> "Chris Priede" <priede@xxxxxxxxx> wrote in message
> >>> >> news:ONS6QgwDGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
> >>> >> > Hi,
> >>> >> >
> >>> >> > Bob wrote:
> >>> >> >> Could you elaborate? I don't understand what you mean.
> >>> >> >
> >>> >> > Actually, that is just as well, because when I suggested that I
> >>> >> > somehow
> >>> >> > overlooked the word "loopback". It wouldn't work for a loopback
> >>> >> > policy.
> >>> >> >
> >>> >> > --
> >>> >> > Chris Priede
> >>> >> >
> >>> >>
> >>> >>
> >>> >>
> >>>
> >>>
> >>>
> >
> >
>
>
>
.

Relevant Pages

  • Re: Complex GPO Configuration Issue
    ... I have read a lot of posts and articles on loopback processing and have used ... If you enforce a policy then it will override all other polices in the path ... to the user/computer unless another GPO closer to the user/computer is also ... What I'm getting for user configuration is ...
    (microsoft.public.windows.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... leave "authenticated users" with read and apply group policy permissions and set deny on NY employees. ... should have the GPO applied via loopback when logging into ...
    (microsoft.public.win2000.group_policy)
  • Re: Applying user object policy (filtering based on computer location)
    ... should have the GPO applied via loopback when logging into ... the computers in NY Desktops OU, ... I have a OU called "NY DESKTOPS" - I created a new policy and enabled Loopback processing mode. ...
    (microsoft.public.win2000.group_policy)
  • Re: Mulitiple Loopback GPOs and one OU
    ... I tested what you've indicated..interesting...it reads from my first policy, ... that loopback is implemented and then it ends up applying the ... explicitly apply computer settings in a GPO via a security filter...they seem ... loopback policy is even read on the GPO that has an explicit Deny on it? ...
    (microsoft.public.windows.group_policy)
  • Re: cannot logon locally
    ... For a machine in a domain use a GPO that will apply ... >>equivalent) and then set a deny of full control for the ... >>local policy to remove the obstructing setting. ... >>> not let me logon locally. ...
    (microsoft.public.windows.group_policy)
Loading