Announcement

Collapse
No announcement yet.

GPO filtering users and computers

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO filtering users and computers

    I am having trouble wrapping my head around this. I have a group of users who all have local workstations. I'm adding a TS to the network that will require these users to logon to the server. I want to apply GPO objects to a group of users that will only apply to the TS. I do not want the GPO objects to apply to all user that login to the TS such as administrators. Is Security Filtering the way to do this? If I remove Authenticated Users from my GPO and add the security group as well as the server computer, will the GPO apply to users outside of the specified group?

    Regards,
    Walt

  • #2
    Re: GPO filtering users and computers

    Yes if you add the Security group the gpo will only apply to that group

    Comment


    • #3
      Re: GPO filtering users and computers

      I guess my question is will it only apply to that group when it's members login to the server specified in the Security Filter?

      Comment


      • #4
        Re: GPO filtering users and computers

        If the security settings are in the User branch of the GPO structure then this will only apply to the users who are a member of the security filtering at logon..

        Comment


        • #5
          Re: GPO filtering users and computers

          OK, if you have a GPO that you want applied to all but administrators, leave Authenticated Users there, add the security group of those to which you do not want it applied, and on the ACL for the GPO, highlight that group and where it says "Apply group policy" check the "Deny" box. Explicit "Deny" will always override "Allow", so you can apply the GPO to everyone but them.

          Comment


          • #6
            Re: GPO filtering users and computers

            OK, after reading it again, I think I had trouble wrapping my head around your question. All that ACL tells you is to whom or what that policy will be applied. The user settings of the GPO will be applied to those users no matter where they log in.

            If you only want the policy to apply to that server, why not just use a local policy? Now, I don't mean the "Local Security Policy" you see in Administrative Tools, I mean go to the run prompt and type in "MMC", then add the snap-in "Group Policy Object Editor" and hit "Finish" when the box pops up. This will provide for you an interface that looks the same as a GPO for the domain, only it only applies to the local machine.

            Hope that's what you're looking for. I'm still a little confused.

            Comment


            • #7
              Re: GPO filtering users and computers

              Let me try to clarify. I want the members of Remote Users group to have a specific policy when they logon to the terminal server. When they logon to their workstations the Remote Users policy will not be applied. Basically my Remote User policy for the TS restricts everything you don't want users doing on a server, Internet, Email, accessing Control Panel, etc.. However, these are all things we allow users to do on their local workstation.

              Does that make sense?

              Comment


              • #8
                Re: GPO filtering users and computers

                Yes it does. You should go with the local policy option as described in my second post. Just open up MMC on that server and configure the policy there.

                Comment


                • #9
                  Re: GPO filtering users and computers

                  You need to investigate "loopback processing" -- designed for this scenario

                  Create a TS policy, apply to the OU with the TSes in it and enable loopback processing in replace mode. This will over-write any user policy settings without resorting to security filtering
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: GPO filtering users and computers

                    It is probably more easy to make a loop back policy for the users workstations. And just use normal policies for the terminal server.
                    gerth

                    MCITP sa, ea & va, [email protected]

                    Comment


                    • #11
                      Re: GPO filtering users and computers

                      I created a GPO for my users OU. I then created an OU for the TS and applied loopback to that policy. Works a treat.

                      Thanks!

                      Comment


                      • #12
                        Re: GPO filtering users and computers

                        Well done!
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment

                        Working...
                        X