Re: Setting Group Policy to apply only to the terminal server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Patrick Rouse <PatrickRouse@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 31 Jan 2008 11:36:01 -0800

Step by step directions on how to configure this are are here:

Best Practice for applying Settings to Users only when they log on to
Terminal Servers would be to:

Create an OU to contain a set of Terminal Servers

Block Policy Inheritance on the OU (Properties -> Group Policy). This
prevents settings from higher-up in AD from affecting your Terminal Servers.

Move the Terminal Server Computer Objects into the OU. Do NOT place User
Accounts in this OU.

Create an Active Directory Security Group called “Terminal Servers” (or
something similar that you’ll recognize) and add the Terminal Servers from
this OU to this group.

Create a GPO called “TS Machine Policy” linked to the OU

Check “Disable User Configuration settings” on the GPO

Enable Loopback Policy Processing in the GPO

Edit the Security of the Policy so Apply Policy is set for “Authenticated
Users” and the Security Group containing the Terminal Servers

Create additional GPOs linked to this OU for each user population, i.e. “TS
Users”, “TS Administrators”.

Check “Disable Computer Configuration settings” on these GPO

Edit the Security on these User Configuration GPOs so Apply Policy is
enabled for the target user population, and Deny Apply Policy is enabled for
user to which the policy should not apply.

With GPOs configured this way the Machine Policy applies to everyone that
logs on to the Terminal Server (only the Computer Configuration Settings of
the Machine Policy are processed) in addition to the appropriate User
Configuration GPO (only the User Configuration portion of the GPO is
processed) for the target user population.

--
Patrick C. Rouse
Microsoft MVP - Terminal Server
SE, Western USA & Canada
Quest Software, Provision Networks Division
http://www.provisionnetworks.com

"Vera Noest [MVP]" wrote:

Graffiti Knight <jordanstacy@xxxxxxxxx> wrote on 30 jan 2008 in
microsoft.public.windows.terminal_services:

On Jan 29, 4:23 am, moncho <mon...@xxxxxxxxxxxxxxxxx> wrote:

Graffiti Knight wrote:

We have a number of group policy restrictions for our
terminal server, however they all fall under User
Configuration (folder redirection, Control Panel access, and
hiding drives in My Computer). To apply these settings we
have a OU for our employees' computers to use loopback
processing and an OU for the employees' user accounts.

The problem is that whenever a user logs onto a computer that
is not the terminal server (TS), if they aren't moved out of
the OU then they policy restrictions get applied to their
profile and we have to wipe it and start over. For computer
rebuilds this becomes a hassle as we have to remove them,
create the profile on their new machine, and then move them
back. Is there a way to apply these User Configuration
settings only on the Terminal Server, and not have to do all
of this moving around?

Thanks for any suggestions.

What you want to do is put the TS servers in their own OU and
use loopback processing.

When you do this, any policies you create in the TS OU
will only affect the users desktop in TS and not their
individual desktop.

moncho

The terminal servers are in their own OU. I have an OU for the
terminal servers, an OU for TS user's, and an OU for TS user's
computers. None are within each other; they are all under the
Domain OU.

And have you linked the restrictive GPO to the OU which contains
the Terminal Servers?
If so, check if all GPOs are applied as you expect them to be by
running RSoP (Resultant Set of Policies).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

References:
- Setting Group Policy to apply only to the terminal server
  - From: Graffiti Knight
- Re: Setting Group Policy to apply only to the terminal server
  - From: moncho
- Re: Setting Group Policy to apply only to the terminal server
  - From: Graffiti Knight
- Re: Setting Group Policy to apply only to the terminal server
  - From: Vera Noest [MVP]

Prev by Date: Re: Adobe Reader and TS
Next by Date: Re: Adobe Reader and TS
Previous by thread: Re: Setting Group Policy to apply only to the terminal server
Next by thread: Re: Windows Server 2003 Terminal Server Smart Card Redirection Issue
Index(es):
- Date
- Thread

Relevant Pages

Re: Loopback Policy Not Taking Effect
... Have you rebooted your servers yet? ... Terminal Servers in the OU ... loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS ... ad TS Lockdown Policy and assigned them mostly Computer ...
(microsoft.public.windows.terminal_services)
Re: Group Policy Management Console or Gpedit.msc
... Group Policy Management Console in a domain environment (if ... Create an OU to contain a set of Terminal Servers ... Create a GPO called "TS Machine Policy" linked to the OU ... Check "Disable Computer Configuration settings" on these GPO ...
(microsoft.public.windows.group_policy)
RE: No Outlook Email via RDP
... Create an OU to contain a set of Terminal Servers ... Enable Loopback Policy Processing in the GPO ... Edit the Security on these User Configuration GPOs so Apply Policy is ...
(microsoft.public.windows.terminal_services)
RE: Loopback process doesnt work
... Create an OU to contain a set of Terminal Servers ... Enable Loopback Policy Processing in the GPO ... Edit the Security on these User Configuration GPOs so Apply Policy is ...
(microsoft.public.windows.terminal_services)
RE: No Outlook Email via RDP
... Thank you Patrick I appreciate your help. ... those using TS could not login to Outlook. ... Create an OU to contain a set of Terminal Servers ... Enable Loopback Policy Processing in the GPO ...
(microsoft.public.windows.terminal_services)