RE: preventing admins from a TS policy
- From: "Vera Noest [MVP]" <Vera.Noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Oct 2006 05:00:02 -0700
I'm beginning to wonder about the whole structure of your GPOs.
The basic steps to use a GPO to configure a Terminal Server:
1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security list of
the GPO
6. add a User group to the security list of the GPO (or keep the
default entry for "Authenticated Users" if you want the settings
in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select "Deny"
for the right to "Apply this policy" (see KB 816100)
If you don't follow the above rules, you will be restriction your
users sessions on their normal workstations as well.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
=?Utf-8?B?QWRhbUc=?= <AdamG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 12
okt 2006:
I set it in the Computer config.
but now I cant seem to find the setting I changed
the option doesnt seem to be available now
I think its in another policy as I said before I went nuts tring
to get this to work so ive probably edited another policy there
are only a couple so it wont take long to find it
everything ive been playing with is not on a production network
its all a test so far "thanks god"
one other strange thing which again maybe from me going over the
top with restrictions is that now unless your an admin you cant
login to a local XP computer
I havent had time to go right through the policy but I bet there
will be a policy saying something like only administrators can
logon locally
do you know if there is such a policy option i may of clicked
"Vera Noest [MVP]" wrote:
Make sure that you configure the Internet Explorer restrictions
in the User Configuration.
Exactly where in the GPO did you disable program installation?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWRhbUc=?= <AdamG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on
11 okt 2006 in microsoft.public.windows.terminal_services:
ok thanks Vera its working however I found 2 things I would
like to change
one for some reason the administrator is not blocked from
anything except internet options and they cant install
programs
when I logon to the server locally as well I still cant
change the internet options
it says " Access to this feature has been disabled by a
restriction set by your Administrator"
could there be an old GPO doing something
"Vera Noest [MVP]" wrote:
You only have to put the TS server account in the security
list if you remove the "Authenticated Users" entry from the
list.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWRhbUc=?= <AdamG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
on 11 okt 2006 in
microsoft.public.windows.terminal_services:
Hello Vera I am going to give it another try, after
looking at your site under policies I noticed that you
mention putting the TS machine account into the security
list
i dont think i did that
im assuming you would have the TS machine account apply
the policy as well as read
"Vera Noest [MVP]" wrote:
Why doesn't this KB help?
816100 - How To Prevent Domain Group Policies from
Applying to Administrator Accounts and Selected Users in
Windows Server 2003
Keep "Authenticated User" in the security filtering, and
configure "Deny" for "Apply this policy" for
Administrators. A "Deny" rule always overrides an "Allow"
rule.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWRhbUc=?= <AdamG@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 10 okt 2006 in
microsoft.public.windows.terminal_services:
in the end im tring to lock down the TS threw an OU to
RDP users but not to administrators
I wanted to be able to lock down both computer and user
configs
"AdamG" wrote:
Hello I have been going insaine tring to apply a
policy to a terminal server by greating an OU then
preventing the policy from appling to admins
I have read http://support.microsoft.com/kb/231287 and
http://support.microsoft.com/kb/260370 and
http://support.microsoft.com/kb/816100
in the end I have found that authenicating users if
not selected then no users or groups get the policy
including admins if authenicating users is selected
and alloed to use the policy then everyone including
admins has the policy applied
doesn anyone know how to get around this properly its
driving me crazy
thanks
- References:
- RE: preventing admins from a TS policy
- From: Vera Noest [MVP]
- RE: preventing admins from a TS policy
- From: Vera Noest [MVP]
- RE: preventing admins from a TS policy
- From: AdamG
- RE: preventing admins from a TS policy
- From: Vera Noest [MVP]
- RE: preventing admins from a TS policy
- From: AdamG
- RE: preventing admins from a TS policy
- Prev by Date: Re: Restricting TS access to specific IP addresses
- Next by Date: Re: TCP/IP printer is not mapped but LPT's are
- Previous by thread: RE: preventing admins from a TS policy
- Next by thread: Re: multiple java version on the same Terminal Server.
- Index(es):
Relevant Pages
|
Loading
