Announcement

Collapse
No announcement yet.

App locker ???????

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • App locker ???????

    i have a domain controller, and that's all it is, is a domain controller. I have a terminal server, (they are on 2 seperate servers) joined to the DC. Now how can i run app locker through a gpo on a domain controller, when the applications are on the terminal server.

    Everywhere i look, i see app locker run through gpo's, but everywhere i look, i'm told that dc's should be on their own box, and ts's should be on their own, but all of the descriptions are for computers connected to a domain, not a terminal server?

  • #2
    Re: App locker ???????

    As long as the TS is joined to the domain, it will be subject to GPOs, just like a client workstation.

    By default, the TS will go into the Computers container in AD so will fall under domain level GPOs only. To apply specific GPOs to the terminal server, create an OU, move the TS into it, and apply a policy to the OU.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: App locker ???????

      but there is no path to the terminal server when choosing path from the app locker to the terminal server, only sees the dc's files and folders.

      Comment


      • #4
        Re: App locker ???????

        Your app locker rules, IIRC, can specify a publisher or a file hash, not just a path
        Even for a path rule, you can type in the path on your TS
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: App locker ???????

          what is IIRC, also, i see app locker under the computer configuration on the domain controller, not the user configuration.

          when configured on the domain controller, Does the computer configuration gpo only configure the computer(domain controller), or would the computer configuration affect the terminal server computer?

          Comment


          • #6
            Re: App locker ???????

            IIRC = If I Recall Correctly
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: App locker ???????

              The GPO will need to be applied either to the domain (will affect all computers) or to an OU containing the Terminal Server
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: App locker ???????

                i want to rephrase my last question, because i think i know what your saying, but not sure.

                there are no computers attached to the domain, just the terminal server. Ossian, what your saying , is that if i configure the computer configuration portion of the GPO called DESKTOP LOCKDOWN(OF THE DOMAIN CONTROLLER), then it will configure the TS accordingly........


                If i edit the DESKTOP LOCKDOWN, it looks like this

                Desktop Lockdown
                - Comuter Configuration
                +Policies
                +Prefrences

                - User Configuration
                +Policies
                +Prefrences



                the reason i'm reasking this, is because i've had no luck in configuring the computer portion of the DC's GPO (DESKTOP LOCKDOWN), which i thought would affect the TS. I have to configure the user portion of the GPO in the DC for the ts users(like for desktop icons displaying or not displaying), and for the TS itself(ex. use easyprint driver first.....set time limit for disconnected sessions........allow audio and playback redirection), i have to configure the GPEDIT.MSC



                ..........IT'S KIND OF TOUGH, BECAUSE EVEN IF I CONFIGURE A SETTING AND DO A GPUPDATE/FORCE(EVEN RESTARTING THE SERVER(S), IN TRYING TO LEARN WHAT CONTROLS WHAT(COMPUTER/USER OF DOMAIN.....COMPUTER\USER OF TS(GPUPDATE)) SOMETIMES IT DOESN'T WORK, SO I GO ON TO TRY MANY DIFFRENT WAYS TO IMPLEMENT SOMETHING, NOTHING WORKS, SO THEN I GO BACK TO WHAT I DID THE FIRST TIME, JUST FOR THE HELL OF IT, AND IT WORKS!!!!!!!!!!#$%&*#$%@&* LOL, CONFUSING!!!!!!!!!!!!!!(HAS BEEN HAPPENING ALOT)


                Here is how my DC is set up. starting at the top

                Group Policy Management
                -Forest:mydomain.org
                -Domains
                -mydomain.org
                **DefaultDomainPolicy
                **DesktopLockdown......(this is the one i created)
                -DomainController
                **Default Domain Controller
                -TS Users(I CREATED THIS OU)
                **Desktop Lockdown
                OU1
                OU2
                OU3
                OU4
                -Group Policy Objects
                **Default Domain Controllers Policy
                **Default Domain Policy
                **Desktop Lockdown

                WMI Filters
                Starter GPO's

                Sites
                Group Policy Moduling
                Group Policy Results

                The OU's are the active director users, the DESKTOP LOCKDOWN applies to all ou's within the OU TS Users.




                That's why i'm reasking this question, from my experience troubleshooting these polices, these gpo's have convinced me, that the computer portion of the GPO on the domain controller, just controlls that box, not the TS box......but if you say it does, i'lll make the setting and wait a few days to see if it kicks in.

                As always, i appreciate this site's patience, Osasian, thanks, your always there!!!!

                Comment


                • #9
                  Re: App locker ???????

                  Is the terminal server a domain member?
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: App locker ???????

                    yes, the terminal server is part of the dc's domain. I answere yes, a couple days ago, just saw it didn't post, answered yes again, and i now see i must have 10 letters to post.......there's my 10 letters LOL

                    Comment

                    Working...
                    X