Announcement

Collapse
No announcement yet.

administrator permissions for TS Profiles

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • administrator permissions for TS Profiles

    Hi

    We have created a group policy to redirect the TS user terminal services profile to go to a specific folder - recommended as good practice.

    However it appears to be created without administrator rights.

    Can it? and does anyone know how.

    Thanks for any help.

  • #2
    Re: administrator permissions for TS Profiles

    Hi,

    Can't you just apply the permissions for the administrators on the parent folder.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: administrator permissions for TS Profiles

      It has already on the shared folder - but doesn't appear to be reflected in the new user TS profile folder created.

      Unless we have got something set up wrong.

      Any thoughts.

      Comment


      • #4
        Re: administrator permissions for TS Profiles

        There's a GPO setting in Computer Configuration|Administrative Templates|System|User Profiles called "Add the Administrators security group to roaming user profiles" that will give the Administrators group permissions to the profile folders. Note that this only affects new profiles that are created after you enable the GPO setting, it does not modify the permissions of existing profile folders.

        Comment


        • #5
          Re: administrator permissions for TS Profiles

          Hi

          Yes we have that set - but it seems it does not apply it to the Terminal Services Roaming Profile.

          Any other thoughts please.

          Thanks

          Comment


          • #6
            Re: administrator permissions for TS Profiles

            Do you have it set in the GPO that applies to your TS servers?

            Comment


            • #7
              Re: administrator permissions for TS Profiles

              Hi

              I have an OU that contains all the TS susers but not the TS server.

              Comment


              • #8
                Re: administrator permissions for TS Profiles

                The GPO setting needs to be enabled in the GPO that applies to the TS.

                Comment


                • #9
                  Re: administrator permissions for TS Profiles

                  OK

                  can I just add the same policy to the OU with server in ?

                  and do I leave it on the OU for the users or remove it from there - what may be best.

                  Thanks

                  Comment


                  • #10
                    Re: administrator permissions for TS Profiles

                    Technically it's a computer setting not a user setting so it needs to be enabled in the GPO that applies to the TS computer. You should remove it from the GPO that applies to the users.

                    Also, GPO settings under computer configuration apply to computers and GPO settings under user configuration apply to users. There are some GPO settings that can be found in both locations and if they're configured in both then the user setiings over-ride the computer settings.

                    Comment


                    • #11
                      Re: administrator permissions for TS Profiles

                      Ok

                      Just to clarify:-

                      Are you saying we need 2 policies one for users and one for the TS servers.
                      I have not seen this mentioned before for locking down TS.

                      I have created a single loopback policy and applied various recommended lockdown settings for TS. I have then applied this to my OU for terminal services users.

                      I can also adxd it to the TS servers as well if thats what is being recommended.

                      Comment


                      • #12
                        Re: administrator permissions for TS Profiles

                        No, I'm not saying you need two policies. I assumed that you had separate OU's for your users and your servers. Here's what I am saying: Regardless of your OU structure, you need to enable the GPO setting in the GPO that is linked to the OU where the TS servers are because it's a computer setting and applies to computers not users. Loopback policy processing is not relevant here as you are enabling a computer setting.

                        Loopback policy processing is for user settings and works like this:

                        You have an OU where your server is. You have an OU where your user is. You have computer GPO settings enabled in a GPO linked to your server OU. You have user GPO settings enabled in a GPO linked to the OU where your user is. You want to apply different user GPO settings to your user when they log on to the server. You enable the GPO settings under user configuration in the GPO linked to your server OU and configure Loopback Policy Processing. This tells the GPO extensions to apply the user settings from the TS OU rather than the user OU.

                        GPO settings apply to objects "in their path" which means that normally GPO settings for the user come from the GPO linked to the OU (or container) where the user object is. Loopback Policy Processing lets you "get around" this by applying user settings from the GPO linked to the OU (or container) where the computer object is.

                        I hope I haven't made this too confusing.

                        Comment


                        • #13
                          Re: administrator permissions for TS Profiles

                          the explantion is useful but confusing.

                          It is a very simple setup with a single TS server and a few TS susers.

                          I have an OU with my terminal services users in it. They only connect by TS. and the loopback policy is applied to this.

                          I have an OU with my terminal services server in it. There is no specific group policy applied to this.

                          There is no other group policies anywhere else except the deafult domain policy.


                          I am just wondering the best way forward - would the simplest route be just to add the loopback policy to apply to the terminal services server OU ....

                          AND leave it applying to the TS users OU or remove it from from this.

                          Comment


                          • #14
                            Re: administrator permissions for TS Profiles

                            Sorry. I did make it confusing. Let's understand a few things about Group Policy and then move forward to solving this for you.

                            1. GPO settings apply to objects "in their path". This means that GPO settings apply to objects in OU's and containers that the GPO is linked to.

                            2. GPO settings under the computer configuration section apply only to computers.

                            3. GPO settings under the user configuration section apply only to users.

                            4. Loopback policy processing is a method for applying alternate user settings to a user based on the user configuration settings of the GPO linked to where the computer is rather than the GPO linked to where the user is.

                            5. Loopback policy processing has no relevance or affect on settings under computer configuration, only to settings under user configuration.

                            6. You have an OU for your users. You do not have an OU for your servers (they are in the default computer container). This means that the computer configuration GPO settings for the servers are being applied from your Default Domain GPO.

                            7. You are enabling a computer configuration setting, not a user setting, so Loopback policy processing is not relevant and has no bearing here.

                            8. What you need to do is enable the setting in the GPO that is linked to your server, which in your case is the Default Domain Policy.

                            9. Forget about Loopback policy processing as it's not relevant and is only confusing the matter. The way you have it configured is incorrect. Disable Loopback policy processing.

                            Here's my recommendation:

                            1. Create an OU for the TS server.
                            2. Move the server to this OU.
                            3. Create and link a GPO to this OU.
                            4. Enable the GPO setting for the profiles in the computer configuration setting of this GPO.

                            Comment

                            Working...
                            X