Announcement

Collapse

Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Configure an Special GPO or what do I need

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Re: Configure an Special GPO or what do I need

    Hello again, I don't want to open a new thread, I would prefer continue here.

    After i did this all is fine, except for 2 things (well 1 just more important than the other).

    The policy is working fine, but there are 2 things that i don't like it about it, one is that if I want the complete desktop and menu (I'm an administrator) i need to log in with the local account and more important what should i do for instant if i want that certain users (Help Desk) to have options different from all users, for example i would like that they're could see the desktop or the Start Menu completed or even better that when they're login in the server automatically the Terminal Services Manager open up so they're could bring support to the end users.


    I need to complete the second one more than the first ,I happyly could live using the local account to login in the servers, but i need to find a way so help desk do they're job.

    tomorrow i will do some test.

    other problem that i have is this one
    http://forums.petri.com/showthread.p...8747#post68747

    and other one is where the local printers in the terminal are no being mapping to the windows terminal sessions or worst that are being mapping but not working from some oracle applications.

    I reading about it and searching for info cause with have some old T1000 and T1010 Compaq terminals.

    Regards and Thank you
    When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

    Leonardo da Vinci

    Comment


    • #17
      Re: Configure an Special GPO or what do I need

      I haven't tested but from my understanding of loopback processing you should be able to use Security Filtering to do this.

      Anyone feel free to correct me on this... and if I get some time I'll test it out and maybe correct myself

      But as of now this is my understanding of what you could do.

      Make groups for the three categories of users; admin (you), help desk, everyone else. Also make a group of the computers the users will be logging onto.
      Note: if you already have groups that fit the above then you can use them (domain admins comes to mind for the admin group)

      TS Policy 1 - Remove the Authenticated Users group (the one I told you to add before) and add the computer group and the everyone else group. This will be the one you've already configured.

      TS Policy 2 - Remove the Authenticated Users group and add the computer group and the help desk group. This will be the policy that applies to the help desk users.

      TS Policy 3 - Remove the Authenticated Users group and add the computer group and the admin group. This will be the policy that applies to the admins group.


      You really don't need to make policy 2 and 3 unless you want to specify some specific settings when they log on to a TS. The way I outlined above will implicitly deny anyone that is not in the "everyone else" group for "TS Policy 1".

      If you find it easier to just filter out the few users that don't need to apply the policy rather than making a large group that does need to apply it, you can also explicitly deny as well. To do so, in GPMC, select the policy then Click the Delegations tab -> click Advanced -> add the user or group you want to deny -> select the Deny check-box next to Apply Group Policy


      PS - Did I put enough qualifiers in there?
      Last edited by JeremyW; 13th May 2007, 05:13.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #18
        Re: Configure an Special GPO or what do I need

        Ohh man, the policy that we did before just work with authenticated users, immediately i remove it an put another group it doesn't work anymore, imagine my surprise right now when you are telling me that it should work, that would be amazing.

        Where now i need to do my homework.

        The same way that you're explain me now, was the way I though that i should do, until did not work.

        tomorrow i will test all the variation possibles.
        When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

        Leonardo da Vinci

        Comment


        • #19
          Re: Configure an Special GPO or what do I need

          Originally posted by Nehemoth View Post
          Ohh man, the policy that we did before just work with authenticated users, immediately i remove it an put another group it doesn't work anymore, imagine my surprise right now when you are telling me that it should work, that would be amazing.

          Where now i need to do my homework.

          The same way that you're explain me now, was the way I though that i should do, until did not work.

          tomorrow i will test all the variation possibles.
          From the screen shot you posted I would like to note an important distinction between my configuration and your configuration.

          In your configuration only the computers could apply the GPO. In my configuration we also add the users that need to apply the GPO.


          Here is a short, abbreviated description of how Group Policy Processing works for the user:
          When the user logs on it checks to see what GPO(s) it needs to apply. It gets this list and processes them in order (Site, Domain, OU, child OU, etc). With Loopback Processing-Merge enabled, the computer appends this GPO to the end of the list. With Loopback Processing-Replace enabled, the computer disregards the list and uses only this GPO.
          Last edited by JeremyW; 14th May 2007, 16:58. Reason: grammar
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #20
            Re: Configure an Special GPO or what do I need

            Originally posted by JeremyW View Post
            From the screen shot you posted I would like to note an important distinction between my configuration and your configuration.

            In your configuration only the computers could apply the GPO. In my configuration we also add the users that need to apply the GPO.


            Here is a sort, abbreviated description of how Group Policy Processing works for the user:
            When the user logs on it check to see what GPO(s) it needs to apply. It gets this list and will process it in order (Site, Domain, OU, child OU, etc). With Loopback Processing-Merge enabled, the computer appends this GPO to the end of the list. With Loopback Processing-Replace enabled, the computer disregards the list and uses only this GPO.
            So you have your users in the same containers as the computer which you are applying the GPO??
            When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

            Leonardo da Vinci

            Comment


            • #21
              Re: Configure an Special GPO or what do I need

              Originally posted by Nehemoth View Post
              So you have your users in the same containers as the computer which you are applying the GPO??
              No, just the computers. In the security filtering section is where you need to add the users/groups that you want to apply the policy.
              Click image for larger version

Name:	policyrc6.jpg
Views:	1
Size:	15.7 KB
ID:	463161
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #22
                Re: Configure an Special GPO or what do I need

                Originally posted by JeremyW View Post
                No, just the computers. In the security filtering section is where you need to add the users/groups that you want to apply the policy.
                [ATTACH]1484[/ATTACH]

                Already Change it to Authenticated users from that one (terminal services PC, because never worked), or do i misunderstood again and what i need to add there are the computers (servers)

                Right now its look in this way

                When once you have tasted flight, you will forever walk the earth with your eyes turned skyward, for there you have been and there you will always long to return.

                Leonardo da Vinci

                Comment


                • #23
                  Re: Configure an Special GPO or what do I need

                  OK, let me see if I can say it clearly.

                  When you had the Terminal Services PC group listed in the Security Filtering section, only that group can apply the GPO.
                  Since Loopback Processing is enable, when a user logs on to a TS server the Terminal Servers GPO gets appended to the list of GPOs the user will apply but since they don't have permission to apply that GPO the user will not process the Terminal Servers GPO.

                  Now that you have Authenticated Users (this group applies to any user or computer that authenticates against AD) listed in the Security Filtering section, all users and computers in AD can apply the Terminal Server GPO.


                  Since you want to limit which users apply the GPO, you can create groups of those users and add them to the Security Filtering section.

                  Originally posted by JeremyW View Post
                  Make groups for the three categories of users; admin (you), help desk, everyone else. Also make a group of the computers the users will be logging onto.
                  Note: if you already have groups that fit the above then you can use them (domain admins comes to mind for the admin group)

                  TS Policy 1 - Remove the Authenticated Users group (the one I told you to add before) and add the computer group and the everyone else group. This will be the one you've already configured.

                  TS Policy 2 - Remove the Authenticated Users group and add the computer group and the help desk group. This will be the policy that applies to the help desk users.

                  TS Policy 3 - Remove the Authenticated Users group and add the computer group and the admin group. This will be the policy that applies to the admins group.


                  You really don't need to make policy 2 and 3 unless you want to specify some specific settings when they log on to a TS. The way I outlined above will implicitly deny anyone that is not in the "everyone else" group for "TS Policy 1".

                  If you find it easier to just filter out the few users that don't need to apply the policy rather than making a large group that does need to apply it, you can also explicitly deny as well. To do so, in GPMC, select the policy then Click the Delegations tab -> click Advanced -> add the user or group you want to deny -> select the Deny check-box next to Apply Group Policy
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment

                  Working...
                  X