Announcement

Collapse
No announcement yet.

Group Policy only on Terminal-server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy only on Terminal-server

    Hi there

    How do I make a Group Policy, that works for users, when logging into terminal-server, and NOT when working on their local pcs.

    I want to restrict the users not to have any permissions on the system-drive on the terminal-server (among other things).
    Ive made a group policy to a group, that works very well, when they are logged on the terminal-server, but also works, when they are logged on their local pc.

    How do I make a Policy, that works ONLY when logged on the termianl-server?

    FYI: SBS2003 and W2K3 as terminal server in domain, fully updated from MS

    Regards from Denmark

    G Ladefoged

  • #2
    Re: Group Policy only on Terminal-server

    Hi,

    Did you tried to review the TS FAQ:

    Terminal Server FAQ:

    Group Policy:

    How to apply Group Policy objects to Terminal Services servers

    http://support.microsoft.com/default...b;EN-US;260370

    Loopback Processing of Group Policy

    http://support.microsoft.com/?kbid=231287

    Security Settings - Software Restrictions

    http://www.computerperformance.co.uk...strictions.htm

    Introduction to Group Policy in Windows Server 2003

    http://www.microsoft.com/windowsserv...w/gpintro.mspx

    Windows Server 2003 Security Guide

    http://www.microsoft.com/downloads/d...displaylang=en

    Windows 2003 - Group Policy WMI Filters

    http://www.computerperformance.co.uk...MI_filters.htm

    Using Windows Terminal Services to Run a Single Application

    http://www.windowsecurity.com/articl...plication.html

    How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session

    http://support.microsoft.com/default...b;en-us;278295

    Best Practices for Citrix Policy design for Presentation Server 3 or 4

    http://www.brianmadden.com/content/content.asp?ID=503


    Terminal Server Licensing:

    The Ultimate Guide to Windows 2003 Terminal Server Licensing

    http://www.brianmadden.com/content/content.asp?id=154



    The Ultimate Guide to Terminal Server Printing - Design and Configuration

    http://www.brianmadden.com/content/content.asp?ID=62


    How to Configure Windows Network Load Balancing for pure Terminal Server environments

    http://www.brianmadden.com/content/content.asp?id=278


    Session Directory and Load Balancing Using Terminal Server

    http://www.microsoft.com/windowsserv...directory.mspx


    Terminal Services Client Cannot Connect to NLB Cluster TCP/IP Address

    http://support.microsoft.com/?kbid=280805


    Add on tools:


    User Profile Hive Cleanup Service

    http://www.microsoft.com/downloads/d...displaylang=en

    RDP 5.2

    http://www.petri.com/download_rdp_5_2.htm


    Tips:


    Printers That Use Ports That Do Not Begin With COM, LPT, or USB Are Not Redirected in a Remote Desktop or Terminal Services Session
    View products that this article applies to.

    http://support.microsoft.com/kb/302361/en-us

    Windows 2000 Terminal Services server logs events 1111, 1105, and 1106

    http://support.microsoft.com/?id=239088

    Troubleshooting Remote Desktop Licensing Error Messages

    http://technet2.microsoft.com/Window...97e2c1033.mspx


    Regards,

    Yuval
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Group Policy only on Terminal-server

      Hello,
      Create a new OU, let say Terminal Servers, move your terminal servers here, applay your GP only to this OU.
      Regards,
      Csaba
      Regards,
      Csaba Papp
      MCSA+messaging, MCSE, CCNA
      ...............................
      Remember to give credit where credit is due and leave reputation points where appropriate
      .................................

      Comment


      • #4
        Re: Group Policy only on Terminal-server

        Hi gladefoged.

        Im not sure is this what you are looking for but....this way you can have users in one OU and Terminal Server in another (and have 2 sets of GP rules):

        1. Place your users to OU "My users"
        -make whatever GPs you need and the settings that users need when they are on their local PCs.

        2. Place the Terminal Server to a OU "Terminal Servers"
        - make a new policy "TerminalServers"
        - configure the policys that you want your users to have when they log on to Terminal Server.
        - the thing here is ... that since the users do not belong to the "Terminal Servers" OU, they will not get these policy settings, unless
        - you enable the "User Group Policy loopback processing mode" on the "TerminalServers" GP

        How to enable the rule ?

        Edit the "TerminalServers" GP
        Browse your way to :
        Computer Configuration
        -Administrative templates
        --System
        ---Group Policy
        ----"User Group Policy loopback processing mode"

        Anyhow here is the Microsoft explanation for the setting:
        ================================================== ===
        Applies alternate user settings when a user logs on to a computer affected by this setting.

        This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

        By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

        To use this setting, select one of the following modes from the Mode box:

        -- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

        -- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

        If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.

        Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains.
        ================================================== ===

        Hope it helped,
        KT

        Comment


        • #5
          Re: Group Policy only on Terminal-server

          Hi again

          Still got problems:
          Made a OU called terminal-server
          Moved the terminal server to this OU.
          Made a Group called Terminal-users and put a user in this group
          Made Policy on OU Terminal-server and made some restrictions, ie "Hide these Drives", and "Force Classic Menu".
          Enabled "User Group Policy Loopback Processing Mode"
          In the group Policy "Security Filtering" removed " Authenticated Users" and added the group called "Terminal-users".

          Rebooted the terminal-server, and logged in with the user in "Terminal Users",
          none of the Group Policy settinngs works.
          What do I miss??

          Regards from

          G Ladefoged

          Comment


          • #6
            Re: Group Policy only on Terminal-server

            That sounds weird. I tested it and it worked fine for me.
            (i didnt have a Terminal Server in my test environment, i used a winXP machine )

            What I did
            1. Created OU called "terminal-server"
            - Moved a computer there ("pcone")

            2. Created OU "my users"
            - made new user ("User1")

            3. Created a user group called "terminal-users" (Global - security type) to the "terminal-server" OU

            4. Added the "User1" user to the group "terminal-users"

            5. Made a new GPO (and linked it to the terminal-server OU)
            - Edited it, removed LogOff from users in Start menu and enabled the Loopback... (used the Merge mode)

            6. Removed "Authenticated users" and added "terminal-users" group to the GPO
            - Make sure you have the "Apply Group Policy" selected when setting rights to the "terminal-users" group

            7. Rebooted the machine "pcone" -> Logoff was removed from Start menu. All OK.

            Im not sure did you miss anything (some things you didnt mention, so maybe the apply group policy was not set ?) Anyhow, hope it helps.
            KT

            edit: an update to this.
            I installed the GPMC and after this none of the GP rules worked anymore.
            Im all lost now
            Last edited by KristoT; 19th March 2006, 02:35.

            Comment


            • #7
              Re: Group Policy only on Terminal-server

              I figured it out !

              By removing the Authenticated Users the computer account also looses the rights to apply the GPOs to itself.

              I used the GPMC tools Grou Policy Results to check what GPOs were applied to a terminal-users groups user and the computer settings of the terminal-server GPO were not applied, thus the loopback did not work and the settings did not work.

              Solution :
              Add the terminal server machine account to the Security Filtering aswell as the terminal-users group.

              Comment


              • #8
                Re: Group Policy only on Terminal-server

                KristoT had the solution:

                Added both the Terminal-server AND the Terminal-users group in the "security filtering", and now I can manage the Terminal-users, if they can access the c: and d: drive, have the "classsic menu" enabled, and whatever I like.

                And NO restriction on their local pcs

                Nice thinking, KristoT, thanks a lot

                Case closed

                Regards from Denmark
                G Ladefoged

                Comment

                Working...
                X