Re: User Profiles

Thank you very much, it worked great. Just one thing, I have disabled
evrything I can find in the GPOE but cant restrict the start button, My
Computer in the start menu, or Printers and Faxes in the start menu. Is it
not possible to restrict these? In My Computer users still have access to
System Task and Other Places? I also have two icons appearing from the
Default Domain Policy. Is it possible to restrict this without editing the
domain policy? Windows Server 2003. Thanks again for your great advice.



"Vera Noest [MVP]" wrote:

Since your new GPO settings don't work, and you still see the
effects of another GPO (redirection of My Documents), maybe all you
have to do is to run "gpupdate" on the Terminal Server, in a
command window.
If that doesn't help, use Resultant Set of Policies (RSoP) to see
which GPOs affect user1 on the TS.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 26 sep 2007 in
microsoft.public.windows.terminal_services:

Hi, this is different from the first suggestion but looked
shorter so gave it a try.

Created 1 security group in AD the TS Group- put one user1 in it
- created 1 shared folder on the TS server and put shortcut
icons in it, gave TSGroup access to it - created 1 GPO linked to
OU that has TS Svr in it, no users - in GPO redircted desktop to
the shared folder - enabled various other settings - enabled GPO
loopback/replace - allowed the TS Svr and the TS group in the
security filtering.

Logged into the TS Svr via TS client, as user1, 'my documents'
redirected to Home folder (not specified in the TS settings) but
no other changes take place, same as logging into the server
directly. Deleted everything and tried it all again - same
result.

Thanks for your help - any ideas would be appreciated


"Vera Noest [MVP]" wrote:

From
http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirect
ion

Q: How can I configure different TS desktops, based on user
group membership?

A: There are a number of 3rd party add-ons which can do this
for you, but it is also possible with native Windows
techniques, using Group Policies.

Let's assume you have 3 different user groups, which need
different desktop icons.

1. Create 3 security groups in your AD and populate them with
the user accounts
2. Create 3 different shared folders on a file server and
populate the folders with the desktop icons (shortcuts) which
you want the user groups to see
3. Create 3 different GPOs, linked to the OU which contains
your Terminal Server computer account (but not the user
accounts!) 4. In each of the GPOs, configure redirection of the
desktop to one of the custom desktop folders which you created
in step 2. This is done in User Configuration - Windows
Settings - Folder Redirection 5. Configure each of the GPOs
with loopback processing of the GPO, with the "Replace" option.
This is done in Computer Configuration - Administrative
Templates - System - Group Policy - "User Group Policy loopback
processing mode" 6. Configure the security settings on each of
the GPOs so that only the appropriate user group and the TS
machine account is allowed to read and apply the GPO

Further reading:

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server
2003 http://support.microsoft.com/?kbid=816100

Another way to do this is by using Access Based Enumeration,
which is a free add-on to Windows Server 2003.
For a detailed example of using ABE, see:

Build a start menu with ABE
http://www.datacrash.net/howtos/howto/build-a-start-menu-with-
abe.html

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 26 sep 2007 in
microsoft.public.windows.terminal_services:

Thanks Jeff and good article. Having got to the end of it, I
now have the TS server in its own OU, two policies, machine
and users in the OU, user and machine disabled where needed,
and the loopback enabled. From here I would like to have
users log onto the server and receive various different
secure desktops. If I edit the user policy, I would think
that effects all users logging on. How would I differentiate
between them for different desktops??
Many Thanks for your help -
much appreciated

"Jeff Pitsch" wrote:

when you say normal users do you mean their normal desktop?
Read my article on loopback processing and group policy and
see if that helps. As well if you could be more specific on
what your trying to do and what you've done that would help
as well.

See this link and Understanding Group POlicy in a TS
environment:
http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=
dow nload

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

Ferbalex wrote:
Currently running TS where all users load one application
- our business system.
I'm now trying to allocate individual desktops to certain
users but, with a Group Policy only suceeded in
restricting normal users to no start button and no icons!!
Im obviously missing the point - could someone please
direct me to a simple step by step starter??

.