Announcement

Collapse
No announcement yet.

Configure an Special GPO or what do I need

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nehemoth
    started a topic Configure an Special GPO or what do I need

    Configure an Special GPO or what do I need

    Hello people around.

    I want to create a GPO for some of our
    new terminal services servers, this policy will have some restrictions for all users and this is something that i've completed it.

    But this policy will afect only the users that connect from a dump terminal so i need a new policy which will affect the users that
    connect from they're PC's but MUST no affect they're own Computer, just
    the section in the server.

    what i done until now is

    Moved the servers to a new OU
    create a policy for that OU
    link the policy to the OU
    and link the policy to the OU that contain the users

    but for some reason its aplicated to the server but also to the user computer.

    Any help
    Last edited by Nehemoth; 8th May 2007, 13:15. Reason: Resolved

  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    OK, let me see if I can say it clearly.

    When you had the Terminal Services PC group listed in the Security Filtering section, only that group can apply the GPO.
    Since Loopback Processing is enable, when a user logs on to a TS server the Terminal Servers GPO gets appended to the list of GPOs the user will apply but since they don't have permission to apply that GPO the user will not process the Terminal Servers GPO.

    Now that you have Authenticated Users (this group applies to any user or computer that authenticates against AD) listed in the Security Filtering section, all users and computers in AD can apply the Terminal Server GPO.


    Since you want to limit which users apply the GPO, you can create groups of those users and add them to the Security Filtering section.

    Originally posted by JeremyW View Post
    Make groups for the three categories of users; admin (you), help desk, everyone else. Also make a group of the computers the users will be logging onto.
    Note: if you already have groups that fit the above then you can use them (domain admins comes to mind for the admin group)

    TS Policy 1 - Remove the Authenticated Users group (the one I told you to add before) and add the computer group and the everyone else group. This will be the one you've already configured.

    TS Policy 2 - Remove the Authenticated Users group and add the computer group and the help desk group. This will be the policy that applies to the help desk users.

    TS Policy 3 - Remove the Authenticated Users group and add the computer group and the admin group. This will be the policy that applies to the admins group.


    You really don't need to make policy 2 and 3 unless you want to specify some specific settings when they log on to a TS. The way I outlined above will implicitly deny anyone that is not in the "everyone else" group for "TS Policy 1".

    If you find it easier to just filter out the few users that don't need to apply the policy rather than making a large group that does need to apply it, you can also explicitly deny as well. To do so, in GPMC, select the policy then Click the Delegations tab -> click Advanced -> add the user or group you want to deny -> select the Deny check-box next to Apply Group Policy

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    Originally posted by JeremyW View Post
    No, just the computers. In the security filtering section is where you need to add the users/groups that you want to apply the policy.
    [ATTACH]1484[/ATTACH]

    Already Change it to Authenticated users from that one (terminal services PC, because never worked), or do i misunderstood again and what i need to add there are the computers (servers)

    Right now its look in this way

    Leave a comment:


  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    Originally posted by Nehemoth View Post
    So you have your users in the same containers as the computer which you are applying the GPO??
    No, just the computers. In the security filtering section is where you need to add the users/groups that you want to apply the policy.
    Click image for larger version

Name:	policyrc6.jpg
Views:	1
Size:	15.7 KB
ID:	463161

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    Originally posted by JeremyW View Post
    From the screen shot you posted I would like to note an important distinction between my configuration and your configuration.

    In your configuration only the computers could apply the GPO. In my configuration we also add the users that need to apply the GPO.


    Here is a sort, abbreviated description of how Group Policy Processing works for the user:
    When the user logs on it check to see what GPO(s) it needs to apply. It gets this list and will process it in order (Site, Domain, OU, child OU, etc). With Loopback Processing-Merge enabled, the computer appends this GPO to the end of the list. With Loopback Processing-Replace enabled, the computer disregards the list and uses only this GPO.
    So you have your users in the same containers as the computer which you are applying the GPO??

    Leave a comment:


  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    Originally posted by Nehemoth View Post
    Ohh man, the policy that we did before just work with authenticated users, immediately i remove it an put another group it doesn't work anymore, imagine my surprise right now when you are telling me that it should work, that would be amazing.

    Where now i need to do my homework.

    The same way that you're explain me now, was the way I though that i should do, until did not work.

    tomorrow i will test all the variation possibles.
    From the screen shot you posted I would like to note an important distinction between my configuration and your configuration.

    In your configuration only the computers could apply the GPO. In my configuration we also add the users that need to apply the GPO.


    Here is a short, abbreviated description of how Group Policy Processing works for the user:
    When the user logs on it checks to see what GPO(s) it needs to apply. It gets this list and processes them in order (Site, Domain, OU, child OU, etc). With Loopback Processing-Merge enabled, the computer appends this GPO to the end of the list. With Loopback Processing-Replace enabled, the computer disregards the list and uses only this GPO.
    Last edited by JeremyW; 14th May 2007, 16:58. Reason: grammar

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    Ohh man, the policy that we did before just work with authenticated users, immediately i remove it an put another group it doesn't work anymore, imagine my surprise right now when you are telling me that it should work, that would be amazing.

    Where now i need to do my homework.

    The same way that you're explain me now, was the way I though that i should do, until did not work.

    tomorrow i will test all the variation possibles.

    Leave a comment:


  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    I haven't tested but from my understanding of loopback processing you should be able to use Security Filtering to do this.

    Anyone feel free to correct me on this... and if I get some time I'll test it out and maybe correct myself

    But as of now this is my understanding of what you could do.

    Make groups for the three categories of users; admin (you), help desk, everyone else. Also make a group of the computers the users will be logging onto.
    Note: if you already have groups that fit the above then you can use them (domain admins comes to mind for the admin group)

    TS Policy 1 - Remove the Authenticated Users group (the one I told you to add before) and add the computer group and the everyone else group. This will be the one you've already configured.

    TS Policy 2 - Remove the Authenticated Users group and add the computer group and the help desk group. This will be the policy that applies to the help desk users.

    TS Policy 3 - Remove the Authenticated Users group and add the computer group and the admin group. This will be the policy that applies to the admins group.


    You really don't need to make policy 2 and 3 unless you want to specify some specific settings when they log on to a TS. The way I outlined above will implicitly deny anyone that is not in the "everyone else" group for "TS Policy 1".

    If you find it easier to just filter out the few users that don't need to apply the policy rather than making a large group that does need to apply it, you can also explicitly deny as well. To do so, in GPMC, select the policy then Click the Delegations tab -> click Advanced -> add the user or group you want to deny -> select the Deny check-box next to Apply Group Policy


    PS - Did I put enough qualifiers in there?
    Last edited by JeremyW; 13th May 2007, 05:13.

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    Hello again, I don't want to open a new thread, I would prefer continue here.

    After i did this all is fine, except for 2 things (well 1 just more important than the other).

    The policy is working fine, but there are 2 things that i don't like it about it, one is that if I want the complete desktop and menu (I'm an administrator) i need to log in with the local account and more important what should i do for instant if i want that certain users (Help Desk) to have options different from all users, for example i would like that they're could see the desktop or the Start Menu completed or even better that when they're login in the server automatically the Terminal Services Manager open up so they're could bring support to the end users.


    I need to complete the second one more than the first ,I happyly could live using the local account to login in the servers, but i need to find a way so help desk do they're job.

    tomorrow i will do some test.

    other problem that i have is this one
    http://forums.petri.com/showthread.p...8747#post68747

    and other one is where the local printers in the terminal are no being mapping to the windows terminal sessions or worst that are being mapping but not working from some oracle applications.

    I reading about it and searching for info cause with have some old T1000 and T1010 Compaq terminals.

    Regards and Thank you

    Leave a comment:


  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    I see you were able to solve it before I had a chance to respond. Glad to help the tiny bit that I did.

    Thanks for letting us know what the issue was.

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    Originally posted by JeremyW View Post
    Delete the link to the OU that contains the users.

    Then configure Loopback Processing on the GPO that's linked to the TS(es).

    Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode
    And this was the thing that resolve the problem, i just remove this options

    Computer Configuration > Administrative Templates > Windows Components > Terminal Services

    and remove the options
    Seth Path for TS Roaming Profiles
    TS User Home Directory

    The options was set before for the terminal services policy, in this policy i don't will need this
    are less no in this way, i set these one with the folders redirection options in the user configuration field

    Regards

    Thank you again JeremyW

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    This is a Picture of our policies


    The one that is checked in the one that I'm using it.
    linked to the OU where the servers are and the security filtering for authenticated users but i would
    prefer just for a group called terminal services PC

    Terminal services is the one that i use for the terminal services the which log from a dump terminal
    Linked to the users OU but just for the group terminal services (same name as policy)

    Terminal services test is the same as the above but for test
    Linked to the users OU but just for the group Terminal services test (same name as policy)
    Last edited by Nehemoth; 14th May 2007, 17:10.

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    First JeremyW i really want to thank you for the help and really I'm sorry by my poor English.

    I did it in that way too, Applying the security filtering to the authenticated users but is the same, i restarted the server but the same behavior.

    I really know that there's something that i must doing wrong but then again i don't know what is that.

    I have a policy the which is working and then a copy that so can be used for the result that i want here.

    This is the policy
    http://download.yousendit.com/7872B7A8226AE1E9

    these are the result of gpresult for the user that I'm testing, course i have created some users and the same, also in this case i remove the authenticated users for the security filters for a test
    ==========
    C:\>gpresult /user porfi

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 5/7/2007 at 3:43:35 PM


    RSOP data for DomainName\porfi on MWTSB04 : Logging Mode
    -------------------------------------------------------

    OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edi
    tion
    OS Configuration: Member Server
    OS Version: 5.2.3790
    Terminal Server Mode: Application Server
    Site Name: Default-First-Site-Name
    Roaming Profile: \\mwtsb10\profiles\porfi.domainname
    Local Profile: C:\Documents and Settings\porfi
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=MWTSB04,OU=Terminal Servers,OU=ORGUNIT-NT,DC=DOMAINAME,DC=COM
    Last time Group Policy was applied: 5/7/2007 at 3:26:59 PM
    Group Policy was applied from: svrdc1.DOMAINAME.COM
    Group Policy slow link threshold: 500 kbps
    Domain Name: DOMAINAME
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Terminal Servers
    Filtering: Not Applied (Unknown Reason)

    The computer is a part of the following security groups
    -------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    Debugger Users
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    This Organization
    MWTSB04$
    Domain Computers


    USER SETTINGS
    --------------
    CN=porfi,OU=ORGUNIT,OU=ORGUNIT,DC=DOMAIN,DC=COM
    Last time Group Policy was applied: 5/7/2007 at 3:28:07 PM
    Group Policy was applied from: svrdc1.DOMAIN.COM
    Group Policy slow link threshold: 500 kbps
    Domain Name: DOMAIN
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Terminal Servers
    Screensaver

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    Remote Desktop Users
    REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    TERMINAL SERVER USER
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    Grp-Inf
    Grp-ScreenSaver
    Dpto-Inf-Hdesk
    Grp-Archivos
    Salon-3A-LDV-Read
    Grp-SopTec-Full
    Terminal Services PC
    Dpto-Inf-SopTec
    Salon-MisA-Full

    Leave a comment:


  • JeremyW
    replied
    Re: Configure an Special GPO or what do I need

    If you have the desired User Configuration settings configured in the Terminal Servers PC GPO then all you should need to do is add Authenticated Users to the security filtering.

    Leave a comment:


  • Nehemoth
    replied
    Re: Configure an Special GPO or what do I need

    What i said is that is not linked with the user settings configured linked to the OU containing the TS server.

    OK, I will begin again with the method one of this guide
    http://support.microsoft.com/kb/260370

    I will try to make the policy from scratch again.

    Desire me luck.

    Leave a comment:

Working...
X