Re: GP and TS Rights - A couple issues
- From: Jeff Pitsch <Jeff@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 22 May 2007 13:21:01 -0400
See inline
Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
Tim Miller wrote:
I've found myself suddenly needing to understand Terminal Servers. I THINK that what I really need to understand much better is AD and Group Policy. I've never found the time to dig into it and know I'm missing out on a lot.
I have 2 Terminal Server issues I'm dealing with. I'm hoping someone out there can point me in a better direction.
1: Allow only certain users, but not all, to log in multiple times to the TS. This can be set on the TS itself through the TS Configuration, but that is for ALL users. But the GP setting "Restrict Terminal Services Users to a single remote session" is under the "Computer Configuration" settings in GP. I'm not quite sure how to accomplish my goal using this method.
Unfortunately it's a machine policy and there isn't much you can do. It's either all users or no users. You'd need a 3rd party product like Provision Networks or Citrix Presentation Server to over come this limitation.
2: In this particular specific use TS, I'd like to allow all users the ability to load programs. The only way I know to do that is by making them part of the local admin group. However, I don't want any of them to be able to shut down or restart the server. I don't know if I'm able to restrict this from the admin group, and I'm thinking there's another way to do this??
Not sure what you mean by this. All users, by default, should be able to run most/all programs loaded in program files. Admin access is not needed.
As I mentioned, I really think my lack of AD & Group Policy are my problem here. With that in mind, I posted these very basic questions to the AD group, but list them here also in case anyone cares to comment.
Let's say I have OU1, with OU1a & OU1b under that. OU1a & 1b are on the same level. Users are in OU1a & 1b.
I see that in Group Policy, there are Computer Configuration & User Confirugation settings.
Questions about this:
1: Do Computer Configuration settings only apply to AD Computer accounts? And do User Configuration settings only apply to AD User Accounts?
Yes
2: Is the idea that Group Policy applys at the lowest level first, and then higher branches of the tree over-ride those lower levels if there is a conflict? In other words, with my example, if I had GP in OU1 AND OU1a, is it correct to say that first OU1a GP applies, and then even though there are no users in OU1 specifically, does this OU1 GP apply over OU1a, where any OU1 GP trumps OU1a for any conflicts?
No, Local, Site, Domain, OU. The deeper OU's trump higher level OU's when there are conflicting settings.
there are many good books on Group Policy i would highly, HIGHLY recommend getting up to speed on them.
.
Thanks for any direction!
- References:
- GP and TS Rights - A couple issues
- From: Tim Miller
- GP and TS Rights - A couple issues
- Prev by Date: Re: Default User Account -
- Next by Date: Re: Pass througt Terminal Server to terminal server.
- Previous by thread: GP and TS Rights - A couple issues
- Next by thread: Autoreconnect failed to reconnect user to session because authentication failed. (0x0)
- Index(es):
Relevant Pages
|
Loading
