Re: Applying Group Policy to domain user on Terminal Server
- From: Luke Chalmers <LukeChalmers@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jun 2008 03:26:01 -0700
Vera,
Thanks for your help on this. I am still a little stuck however as the GPO
is still not applying properly. I am glad you understood what I meant as I
was concerned that you may find my problem difficult to follow.
I just want to check the instructions that you sent.
1. place the Terminal Server (not the users!) in a separate OU
DONE! This OU is called Terminal Services
2. create a TS-specific GPO
DONE! This is called TS-GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
DONE! Read this with interest and I guess this needs to be applied to the
TS-GPO and not the local GPO on the Terminal Server
4. link the GPO to the OU which contains the Terminal Server
machine account
DONE! What do you mean exactly by Terminal Server machine 'account'? If I
right click on the Terminal Services OU and go to properties the group policy
is in there under the group policy tab.
5. add the Terminal Server machine account to the security
list of the GPO
If I right click on the Terminal Services OU>properties>group policy>select
the group policy and then click properties. Then select the security tab. The
Terminal Server computer is in this list along with my test users and
Terminal Server User group. What permissions should the machine have exactly?
I also have the domain admin group with deny rights in here. This relates to
point 7.
6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)
DONE! as above the Terminal Server user group is in the security list with
read, write, create, delete and apply rights enabled. Same as my test user
which works
When I log in with a user who is a member of the Terminal Server Users group
the GPO does not apply itself.
In active directory under the Terminal Server OU I have the computer of the
TS and the test user. Should my Terminal Server user group be in there as
well because it is at present!
Many thanks for your help on this Vera!
Luke
"Vera Noest [MVP]" wrote:
The solution to this problem is to use "loopback processing" of the.
TS GPO:
1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security
list of the GPO
6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select
"Deny" for the right to "Apply this policy" (see KB 816100)
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?THVrZSBDaGFsbWVycw==?=
<LukeChalmers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun 2008 in
microsoft.public.windows.terminal_services:
Hello,
I am fairly new to setting up terminal services so I will try
and explain the problem as best I can.
I have setup a Windows 2003 Terminal Server and have built a
group policy for when users logon. The domain controller is on a
Windows 2000 server. I am not sure if this is the best way to do
this but in Active Directory I have a subfolder called 'Domain
Controllers' and this contains the Windows 2000 server. When I
right click on the 'domain controllers' and go to
properties>group policy I see 'default domain controllers
policy'. This this the group policy that is applied to domain
users on the network.
Another organisational unit subfolder is called 'My Business'
and then subfolder in that called '[company name]. In the
[company name] folder this contains all the users in the company
which log onto the domain.
Under 'my business' is another folder which I created called
'Terminal Services'. If right click on that and go to properties
and go to Group policy, you find my group policy that I have
configured for the Terminal Server. In this folder you find the
Terminal Server computer object and a test user.
When the test user logs into the Terminal server the group
policy is then applied and they experience restrictive access.
How can I get a domain user in the from the 'company name'
organisational unit to log onto the TS with the group policy
applied. In order to get this to work I have to move them to the
Terminal Services container and I don't want to do that. I have
created a group and added the group but when users of that group
log in the group policy does not apply.
I have granted the terminal services group permission to the
group policy just like my test user but only my test user works.
I am not sure how to get this working. How do other people set
this up?
Sorry if this sounds waffly!
Cheers
Luke
- Follow-Ups:
- Re: Applying Group Policy to domain user on Terminal Server
- From: Vera Noest [MVP]
- Re: Applying Group Policy to domain user on Terminal Server
- References:
- Applying Group Policy to domain user on Terminal Server
- From: Luke Chalmers
- Re: Applying Group Policy to domain user on Terminal Server
- From: Vera Noest [MVP]
- Applying Group Policy to domain user on Terminal Server
- Prev by Date: Lock down & selcting printers
- Next by Date: Re: W2008 Final: Is per user CAL allocation enforced or not?
- Previous by thread: Re: Applying Group Policy to domain user on Terminal Server
- Next by thread: Re: Applying Group Policy to domain user on Terminal Server
- Index(es):
Relevant Pages
|
