RE: Mandatory TS user profiles... Admin rights
- From: cendrars <cendrars@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 25 Oct 2007 14:26:01 -0700
Hello,
You have applied Loopback, and I expect you have applied it in Replace mode.
Please apply it in replace mode.
The affect this will have is that the OU container will only process "User
Configuration" settings applied via GPOs linked to the OU container. GPOs
which are "Enforced" above the OU tree will also be applied to the OU.
Machine configurations within the GPO environment are global. Machine
configurations are applied to "all" users, hence their global nature. So,
any change you make on the machine side of the GPO will apply to all users
including Admins.
User configurations are for users, obviously. It is possible to segragate
the delivery of these settings to users based on group affiliation. While
the default setting for a linked GPO is to apply DACL configuration to the
Authenticated Users Group for the "Read" and "Apply Group Policy" settings,
you can deny these user settings to your Admin group by setting the DACL for
the group to "Read" the GPO, but "Deny Group Policy" as the option that
counts. This allows the admin group to log onto the server unobstructed by
user policy settings meant to lock down the server.
Also, make the effort to configure the "details" of your GPOs appropriately.
Apply your user GPO settings to, and within the details tab for the GPO
"deny computer settings". Apply your computer settings to a GPO and "deny
user settings" within the details tab for the GPO. Keep user and machine
settings separated within the GPO configurations.
So, what settings are we talking about, computer or user? If they are user
you will find success with the items I mention above. If they are computer,
well....you are out of luck. Let us know how you make out. Thanks.
"Noncentz303" wrote:
The lowdown- I have been tasked with setting up our TS enviorment so that.
when a user logs on they have limited access to the desktop and startbar.
From what I have read this can be accomplished with TS user profiles.
We have a SBS and 2 TS "TS1 and TS2"
I am new at this but this is what i have accomplished so far:
I created a new GPO and a new OU for TS1 and 2
-I created a shared folder on TS1 called TSProfiles
-I created a test user and added it to the new GPO
-I enabled loopback processing
-I enabled admin security group to roaming profiles
-Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username
Then I went to my test user and specified the following profile path:
\\TS1\TSProfile\%username%
- This is where I run into my issues. When I log in a seperate folder is
created in my share for each user. I would like to use 1 standard profile for
all users when they log in so that when I make changes the effect all users.
- Also when I log in as admin I cannot view the contents of the folders
because access is denied -- even though I have it set to add user admin when
folder is created
- I also am wondering will I have to set up a static path for every user
depending on what TS they use and specify different paths and redirects for
both servers?
Any help would be appreciated
Antony
- Follow-Ups:
- RE: Mandatory TS user profiles... Admin rights
- From: Noncentz303
- RE: Mandatory TS user profiles... Admin rights
- Prev by Date: Re: Creating a GPO for TS lockdown
- Next by Date: RE: Mandatory TS user profiles... Admin rights
- Previous by thread: RE: Mandatory TS user profiles... Admin rights
- Next by thread: RE: Mandatory TS user profiles... Admin rights
- Index(es):
Relevant Pages
|
