Announcement

Collapse
No announcement yet.

Configure an Special GPO or what do I need

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure an Special GPO or what do I need

    Hello people around.

    I want to create a GPO for some of our
    new terminal services servers, this policy will have some restrictions for all users and this is something that i've completed it.

    But this policy will afect only the users that connect from a dump terminal so i need a new policy which will affect the users that
    connect from they're PC's but MUST no affect they're own Computer, just
    the section in the server.

    what i done until now is

    Moved the servers to a new OU
    create a policy for that OU
    link the policy to the OU
    and link the policy to the OU that contain the users

    but for some reason its aplicated to the server but also to the user computer.

    Any help
    Last edited by Nehemoth; 8th May 2007, 13:15. Reason: Resolved
    When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

    Leonardo da Vinci

  • #2
    Re: Configure an Special GPO or what do I need

    You must have applied a GPO to the users OU so that the GPO is applying wherever the user logs on. If you only want issue a GPO to the Terminal Servers, remove the GPO that is applying to the users and the computers.

    Use the Group Policy Management Console GPO modeling to find out what GPOs are applying.

    Jas
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: Configure an Special GPO or what do I need

      Delete the link to the OU that contains the users.

      Then configure Loopback Processing on the GPO that's linked to the TS(es).

      Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Configure an Special GPO or what do I need

        I supposed that i must used Replace instead of merge, right?

        Anyway i did the changes but i not test the change until the Monday.

        Best regards guys.

        I'm in the last steps for finish this project (a deploy of some Blades and that for our new Terminal services 2003 platform) and this site has served me as the first place for knowledge overall bearing in mind that this is my first experience with Windows 2003 Terminal services and Blades.

        Regards
        When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

        Leonardo da Vinci

        Comment


        • #5
          Re: Configure an Special GPO or what do I need

          Originally posted by Nehemoth View Post
          I supposed that i must used Replace instead of merge, right?
          Well it depends on what your needs are.

          Merge - All GPOs that apply to the user will be processed. Any conflicting settings will be over ridden by the TS policy.

          Replace - All GPOs that apply to the user will be disregarded. It will only process the TS policy.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Configure an Special GPO or what do I need

            Hmmm estrange, its not working not with replace and no in merge mode either.

            what should i look for?
            When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

            Leonardo da Vinci

            Comment


            • #7
              Re: Configure an Special GPO or what do I need

              -Is the GPO with the user settings configured linked to the OU containing the TS server?
              -Run gpresults to see if the GPO is getting applied and check the event log for processing errors.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Configure an Special GPO or what do I need

                Not is no linked and also i tried linked but when i do that the policy is the same in the computer and on the server.



                I can paste also the policy
                Last edited by Nehemoth; 14th May 2007, 17:08.
                When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                Leonardo da Vinci

                Comment


                • #9
                  Re: Configure an Special GPO or what do I need

                  Originally posted by Nehemoth View Post
                  Not is no linked and also i tried linked but when i do that the policy is the same in the computer and on the server.
                  I'm sorry, I don't know what you mean. Could you try restating it?

                  Also, the security filtering needs to be changed to allow the users to read the policy. Unless there's objects in Terminal Servers OU that you don't want to apply the GPO, add Authenticated Users to the security filtering.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment


                  • #10
                    Re: Configure an Special GPO or what do I need

                    What i said is that is not linked with the user settings configured linked to the OU containing the TS server.

                    OK, I will begin again with the method one of this guide
                    http://support.microsoft.com/kb/260370

                    I will try to make the policy from scratch again.

                    Desire me luck.
                    When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                    Leonardo da Vinci

                    Comment


                    • #11
                      Re: Configure an Special GPO or what do I need

                      If you have the desired User Configuration settings configured in the Terminal Servers PC GPO then all you should need to do is add Authenticated Users to the security filtering.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment


                      • #12
                        Re: Configure an Special GPO or what do I need

                        First JeremyW i really want to thank you for the help and really I'm sorry by my poor English.

                        I did it in that way too, Applying the security filtering to the authenticated users but is the same, i restarted the server but the same behavior.

                        I really know that there's something that i must doing wrong but then again i don't know what is that.

                        I have a policy the which is working and then a copy that so can be used for the result that i want here.

                        This is the policy
                        http://download.yousendit.com/7872B7A8226AE1E9

                        these are the result of gpresult for the user that I'm testing, course i have created some users and the same, also in this case i remove the authenticated users for the security filters for a test
                        ==========
                        C:\>gpresult /user porfi

                        Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
                        Copyright (C) Microsoft Corp. 1981-2001

                        Created On 5/7/2007 at 3:43:35 PM


                        RSOP data for DomainName\porfi on MWTSB04 : Logging Mode
                        -------------------------------------------------------

                        OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
                        tion
                        OS Configuration: Member Server
                        OS Version: 5.2.3790
                        Terminal Server Mode: Application Server
                        Site Name: Default-First-Site-Name
                        Roaming Profile: \\mwtsb10\profiles\porfi.domainname
                        Local Profile: C:\Documents and Settings\porfi
                        Connected over a slow link?: No


                        COMPUTER SETTINGS
                        ------------------
                        CN=MWTSB04,OU=Terminal Servers,OU=ORGUNIT-NT,DC=DOMAINAME,DC=COM
                        Last time Group Policy was applied: 5/7/2007 at 3:26:59 PM
                        Group Policy was applied from: svrdc1.DOMAINAME.COM
                        Group Policy slow link threshold: 500 kbps
                        Domain Name: DOMAINAME
                        Domain Type: Windows 2000

                        Applied Group Policy Objects
                        -----------------------------
                        Local Group Policy

                        The following GPOs were not applied because they were filtered out
                        -------------------------------------------------------------------
                        Terminal Servers
                        Filtering: Not Applied (Unknown Reason)

                        The computer is a part of the following security groups
                        -------------------------------------------------------
                        BUILTIN\Administrators
                        Everyone
                        Debugger Users
                        BUILTIN\Users
                        NT AUTHORITY\NETWORK
                        NT AUTHORITY\Authenticated Users
                        This Organization
                        MWTSB04$
                        Domain Computers


                        USER SETTINGS
                        --------------
                        CN=porfi,OU=ORGUNIT,OU=ORGUNIT,DC=DOMAIN,DC=COM
                        Last time Group Policy was applied: 5/7/2007 at 3:28:07 PM
                        Group Policy was applied from: svrdc1.DOMAIN.COM
                        Group Policy slow link threshold: 500 kbps
                        Domain Name: DOMAIN
                        Domain Type: Windows 2000

                        Applied Group Policy Objects
                        -----------------------------
                        Terminal Servers
                        Screensaver

                        The following GPOs were not applied because they were filtered out
                        -------------------------------------------------------------------
                        Local Group Policy
                        Filtering: Not Applied (Empty)

                        Local Group Policy
                        Filtering: Not Applied (Empty)

                        The user is a part of the following security groups
                        ---------------------------------------------------
                        Domain Users
                        Everyone
                        BUILTIN\Users
                        Remote Desktop Users
                        REMOTE INTERACTIVE LOGON
                        NT AUTHORITY\INTERACTIVE
                        TERMINAL SERVER USER
                        NT AUTHORITY\Authenticated Users
                        This Organization
                        LOCAL
                        Grp-Inf
                        Grp-ScreenSaver
                        Dpto-Inf-Hdesk
                        Grp-Archivos
                        Salon-3A-LDV-Read
                        Grp-SopTec-Full
                        Terminal Services PC
                        Dpto-Inf-SopTec
                        Salon-MisA-Full
                        When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                        Leonardo da Vinci

                        Comment


                        • #13
                          Re: Configure an Special GPO or what do I need

                          This is a Picture of our policies


                          The one that is checked in the one that I'm using it.
                          linked to the OU where the servers are and the security filtering for authenticated users but i would
                          prefer just for a group called terminal services PC

                          Terminal services is the one that i use for the terminal services the which log from a dump terminal
                          Linked to the users OU but just for the group terminal services (same name as policy)

                          Terminal services test is the same as the above but for test
                          Linked to the users OU but just for the group Terminal services test (same name as policy)
                          Last edited by Nehemoth; 14th May 2007, 17:10.
                          When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                          Leonardo da Vinci

                          Comment


                          • #14
                            Re: Configure an Special GPO or what do I need

                            Originally posted by JeremyW View Post
                            Delete the link to the OU that contains the users.

                            Then configure Loopback Processing on the GPO that's linked to the TS(es).

                            Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode
                            And this was the thing that resolve the problem, i just remove this options

                            Computer Configuration > Administrative Templates > Windows Components > Terminal Services

                            and remove the options
                            Seth Path for TS Roaming Profiles
                            TS User Home Directory

                            The options was set before for the terminal services policy, in this policy i don't will need this
                            are less no in this way, i set these one with the folders redirection options in the user configuration field

                            Regards

                            Thank you again JeremyW
                            When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                            Leonardo da Vinci

                            Comment


                            • #15
                              Re: Configure an Special GPO or what do I need

                              I see you were able to solve it before I had a chance to respond. Glad to help the tiny bit that I did.

                              Thanks for letting us know what the issue was.
                              Regards,
                              Jeremy

                              Network Consultant/Engineer
                              Baltimore - Washington area and beyond
                              www.gma-cpa.com

                              Comment

                              Working...
                              X