Re: Applying Group Policy to domain user on Terminal Server
- From: Luke Chalmers <LukeChalmers@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Jun 2008 02:23:00 -0700
I went through in the instructions again and had a little tinker and all is
well. I can't be certain what exactly was wrong but it is now working.
I think I was practically there but thanks for getting me to the end!
Last question, is there a straight forward way of publishing the Terminal
Server on the web.
I have read online about MSFT ISA server. Is this necessary or recommended?
Is there a guide online to configure IIS to get it online?
Many thanks,
Luke
"Vera Noest [MVP]" wrote:
comments inline.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?THVrZSBDaGFsbWVycw==?=
<LukeChalmers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 19 jun 2008 in
microsoft.public.windows.terminal_services:
Vera,
Thanks for your help on this. I am still a little stuck however
as the GPO is still not applying properly. I am glad you
understood what I meant as I was concerned that you may find my
problem difficult to follow.
I just want to check the instructions that you sent.
1. place the Terminal Server (not the users!) in a separate OU
DONE! This OU is called Terminal Services
2. create a TS-specific GPO
DONE! This is called TS-GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
DONE! Read this with interest and I guess this needs to be
applied to the TS-GPO and not the local GPO on the Terminal
Server
Correct
4. link the GPO to the OU which contains the Terminal Server
machine account
DONE! What do you mean exactly by Terminal Server machine
'account'? If I right click on the Terminal Services OU and go
to properties the group policy is in there under the group
policy tab.
The Terminal Server machine account is what you call the Terminal
Server computer, i.e. the object that you see in the Terminal
Services OU.
5. add the Terminal Server machine account to the security
list of the GPO
If I right click on the Terminal Services OU>properties>group
policy>select the group policy and then click properties. Then
select the security tab. The Terminal Server computer is in this
list along with my test users and Terminal Server User group.
What permissions should the machine have exactly? I also have
the domain admin group with deny rights in here. This relates to
point 7.
The default permissions (minimally read, write, apply)
6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)
DONE! as above the Terminal Server user group is in the security
list with read, write, create, delete and apply rights enabled.
Same as my test user which works
When I log in with a user who is a member of the Terminal Server
Users group the GPO does not apply itself.
Strange, because it should. Did you run the command "gpupdate" on
the Terminal Server after adding the loopback setting?
If that doesn't help, run RSoP (Resultant Set of Policies) with the
TS as the computer and a normal user account, to see a list of the
policies which are applied.
One comment on your first post. You wrote:
.. in Active Directory I have a subfolderThat's not completely true. The Default Domain Controller GPO is
called 'Domain Controllers' and this contains the Windows
2000 server. When I right click on the 'domain controllers'
and go to properties>group policy I see 'default domain
controllers policy'. This this the group policy that is
applied to domain users on the network.
applied to the DC.
You should have another GPO, linked to the domain, which is called
the Default Domain Policy. This GPO is applied to the whole domain,
and thus to all users.
In active directory under the Terminal Server OU I have the
computer of the TS and the test user. Should my Terminal Server
user group be in there as well because it is at present!
Policies are applied to computers and/or users, not to security
groups. So putting the Terminal Server Users secuirty group in the
TS OU has no effect, and I wouldn't do it.
Many thanks for your help on this Vera!
Luke
"Vera Noest [MVP]" wrote:
The solution to this problem is to use "loopback processing" of
the TS GPO:
1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security
list of the GPO
6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select
"Deny" for the right to "Apply this policy" (see KB 816100)
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server
2003 http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?THVrZSBDaGFsbWVycw==?=
<LukeChalmers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 18 jun 2008
in microsoft.public.windows.terminal_services:
Hello,
I am fairly new to setting up terminal services so I will try
and explain the problem as best I can.
I have setup a Windows 2003 Terminal Server and have built a
group policy for when users logon. The domain controller is
on a Windows 2000 server. I am not sure if this is the best
way to do this but in Active Directory I have a subfolder
called 'Domain Controllers' and this contains the Windows
2000 server. When I right click on the 'domain controllers'
and go to properties>group policy I see 'default domain
controllers policy'. This this the group policy that is
applied to domain users on the network.
Another organisational unit subfolder is called 'My Business'
and then subfolder in that called '[company name]. In the
[company name] folder this contains all the users in the
company which log onto the domain.
Under 'my business' is another folder which I created called
'Terminal Services'. If right click on that and go to
properties and go to Group policy, you find my group policy
that I have configured for the Terminal Server. In this
folder you find the Terminal Server computer object and a
test user.
When the test user logs into the Terminal server the group
policy is then applied and they experience restrictive
access.
How can I get a domain user in the from the 'company name'
organisational unit to log onto the TS with the group policy
applied. In order to get this to work I have to move them to
the Terminal Services container and I don't want to do that.
I have created a group and added the group but when users of
that group log in the group policy does not apply.
I have granted the terminal services group permission to the
group policy just like my test user but only my test user
works. I am not sure how to get this working. How do other
people set this up?
Sorry if this sounds waffly!
Cheers
Luke
- References:
- Applying Group Policy to domain user on Terminal Server
- From: Luke Chalmers
- Re: Applying Group Policy to domain user on Terminal Server
- From: Vera Noest [MVP]
- Re: Applying Group Policy to domain user on Terminal Server
- From: Luke Chalmers
- Re: Applying Group Policy to domain user on Terminal Server
- From: Vera Noest [MVP]
- Applying Group Policy to domain user on Terminal Server
- Prev by Date: Re: Computers keep leaving and re-joining session directory
- Next by Date: Re: Terminal Service is Enable or not using C++ or VC++ Code
- Previous by thread: Re: Applying Group Policy to domain user on Terminal Server
- Next by thread: Re: will 2003 TS Servers work with 2008 CALs?
- Index(es):
Relevant Pages
|
Loading
