Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
NT
apps
dfs
dns
domain
dsmnfpnw
embedded
fsft
mail
misc
oemdsp.preinstall
personalfax
print
protocol.ipx
protocol.misc
protocol.ras
protocol.routing
protocol.tcpip
registry
setup
terminalserv.app.
terminalserv.client
terminalserv.connectivity
terminalserv.domain
terminalserv.misc
terminalserv.prot.rdp
terminalserv.prot.tcpip
terminalserv.setup
terminalserv.user
windowsnt.wntsee
  
 
date: Thu, 3 Nov 2005 10:23:10 -0600,    group: microsoft.public.windowsnt.terminalserver.setup        back       


TS User Policy vs Desktop User Policy    
Is there a way to apply user GPO to a user logged onto TS and not have it 
apply to the same user when logged onto their PC?
I am setting up W2k3e sp1 TS, in a W2k3 domain with all desktops XP sp2. I 
cannot use mandatory profile because one of the applications needs to be 
able to save settings in the profile.  I want to lock down the user 
environmetn as much as possible on the  TS, but on the local desktop I need 
them to have less restriction. Thanks in advance.
date: Thu, 3 Nov 2005 10:23:10 -0600   author:   LRM

Re: TS User Policy vs Desktop User Policy    
Yes, the method to achieve this is to use "loopback processing" of 
your GPO with the "Replace" option .

Create a separate OU, put your Terminal Server (but *not* the user 
accounts!) in this OU.
Then link your restrictive GPO to the OU and configure loopback 
processing. Restrictions will affect users when they logon to the 
TS, but not when they logon to their PCs.
Oh, and make sure that Administrators are not restricted by the GPO 
by choosing the "Deny" right for "Apply this GPO" in the security 
settings of the GPO.

260370 - How to Apply Group Policy Objects to Terminal Services 
Servers 
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying to 
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"LRM"  wrote on 03 nov 2005 in
microsoft.public.windowsnt.terminalserver.setup: 

> Is there a way to apply user GPO to a user logged onto TS and
> not have it apply to the same user when logged onto their PC?
> I am setting up W2k3e sp1 TS, in a W2k3 domain with all desktops
> XP sp2. I cannot use mandatory profile because one of the
> applications needs to be able to save settings in the profile. 
> I want to lock down the user environmetn as much as possible on
> the  TS, but on the local desktop I need them to have less
> restriction. Thanks in advance.
date: Thu, 03 Nov 2005 13:29:39 -0800   author:   Vera Noest [MVP]

Re: TS User Policy vs Desktop User Policy    
Loopback, of course. You Rock! Thanks for all the help.

"Vera Noest [MVP]"  wrote in message 
news:Xns9703E4D00BE4Bveranoesthemutforsse@207.46.248.16...
> Yes, the method to achieve this is to use "loopback processing" of
> your GPO with the "Replace" option .
>
> Create a separate OU, put your Terminal Server (but *not* the user
> accounts!) in this OU.
> Then link your restrictive GPO to the OU and configure loopback
> processing. Restrictions will affect users when they logon to the
> TS, but not when they logon to their PCs.
> Oh, and make sure that Administrators are not restricted by the GPO
> by choosing the "Deny" right for "Apply this GPO" in the security
> settings of the GPO.
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "LRM"  wrote on 03 nov 2005 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Is there a way to apply user GPO to a user logged onto TS and
>> not have it apply to the same user when logged onto their PC?
>> I am setting up W2k3e sp1 TS, in a W2k3 domain with all desktops
>> XP sp2. I cannot use mandatory profile because one of the
>> applications needs to be able to save settings in the profile.
>> I want to lock down the user environmetn as much as possible on
>> the  TS, but on the local desktop I need them to have less
>> restriction. Thanks in advance.
date: Thu, 3 Nov 2005 18:21:50 -0600   author:   LRM

Re: TS User Policy vs Desktop User Policy    
Hi,

Coincidentally I'm at exactly the same point deploying our office terminal 
server.  So your post was quite timely :)  However.....

I've done what you've suggested below and everything works fine except for 
the part about restricting the administrators account.  If I tick Deny for 
the administrators it works as expected for my admin account, however all of 
my users now do not seem to apply the group policy and have full access to 
the start menu, desktop etc.   Folder redirection does seem to work though. 
If I untick Deny for the admin accounts all of my users are now restricted 
including the admin users.

I'm sure I'm doing something stupid so any pointers in the right direction 
would help.

Thanks,


Mike

"Vera Noest [MVP]"  wrote in message 
news:Xns9703E4D00BE4Bveranoesthemutforsse@207.46.248.16...
> Yes, the method to achieve this is to use "loopback processing" of
> your GPO with the "Replace" option .
>
> Create a separate OU, put your Terminal Server (but *not* the user
> accounts!) in this OU.
> Then link your restrictive GPO to the OU and configure loopback
> processing. Restrictions will affect users when they logon to the
> TS, but not when they logon to their PCs.
> Oh, and make sure that Administrators are not restricted by the GPO
> by choosing the "Deny" right for "Apply this GPO" in the security
> settings of the GPO.
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "LRM"  wrote on 03 nov 2005 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Is there a way to apply user GPO to a user logged onto TS and
>> not have it apply to the same user when logged onto their PC?
>> I am setting up W2k3e sp1 TS, in a W2k3 domain with all desktops
>> XP sp2. I cannot use mandatory profile because one of the
>> applications needs to be able to save settings in the profile.
>> I want to lock down the user environmetn as much as possible on
>> the  TS, but on the local desktop I need them to have less
>> restriction. Thanks in advance.
date: Sat, 26 Nov 2005 17:43:05 -0000   author:   Mike Wilcock mike.wilcocknospam@stanfordtec.co.uk

Re: TS User Policy vs Desktop User Policy    
Hi,

Coincidentally I'm at exactly the same point deploying our office terminal
server.  So your post was quite timely :)  However.....

I've done what you've suggested below and everything works fine except for
the part about restricting the administrators account.  If I tick Deny for
the administrators it works as expected for my admin account, however all of
my users now do not seem to apply the group policy and have full access to
the start menu, desktop etc.   Folder redirection does seem to work though.
If I untick Deny for the admin accounts all of my users are now restricted
including the admin users.

I'm sure I'm doing something stupid so any pointers in the right direction
would help.

Thanks,


Mike

"Vera Noest [MVP]"  wrote in message
news:Xns9703E4D00BE4Bveranoesthemutforsse@207.46.248.16...
> Yes, the method to achieve this is to use "loopback processing" of
> your GPO with the "Replace" option .
>
> Create a separate OU, put your Terminal Server (but *not* the user
> accounts!) in this OU.
> Then link your restrictive GPO to the OU and configure loopback
> processing. Restrictions will affect users when they logon to the
> TS, but not when they logon to their PCs.
> Oh, and make sure that Administrators are not restricted by the GPO
> by choosing the "Deny" right for "Apply this GPO" in the security
> settings of the GPO.
>
> 260370 - How to Apply Group Policy Objects to Terminal Services
> Servers
> http://support.microsoft.com/?kbid=260370
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "LRM"  wrote on 03 nov 2005 in
> microsoft.public.windowsnt.terminalserver.setup:
>
>> Is there a way to apply user GPO to a user logged onto TS and
>> not have it apply to the same user when logged onto their PC?
>> I am setting up W2k3e sp1 TS, in a W2k3 domain with all desktops
>> XP sp2. I cannot use mandatory profile because one of the
>> applications needs to be able to save settings in the profile.
>> I want to lock down the user environmetn as much as possible on
>> the  TS, but on the local desktop I need them to have less
>> restriction. Thanks in advance.
date: Sat, 26 Nov 2005 17:44:17 -0000   author:   Mike Wilcock mike.wilcocknospam@stanfordtec.co.uk

Re: TS User Policy vs Desktop User Policy    
Sounds like all of your users are part of the Administrators group.
If that's the case, you could just as well stop trying to restrict 
their sessions.....

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Mike Wilcock" <mike.wilcock<nospam>@stanfordtec.co.uk> wrote on
26 nov 2005 in microsoft.public.windowsnt.terminalserver.setup: 

> Hi,
> 
> Coincidentally I'm at exactly the same point deploying our
> office terminal server.  So your post was quite timely :) 
> However..... 
> 
> I've done what you've suggested below and everything works fine
> except for the part about restricting the administrators
> account.  If I tick Deny for the administrators it works as
> expected for my admin account, however all of my users now do
> not seem to apply the group policy and have full access to the
> start menu, desktop etc.   Folder redirection does seem to work
> though. If I untick Deny for the admin accounts all of my users
> are now restricted including the admin users.
> 
> I'm sure I'm doing something stupid so any pointers in the right
> direction would help.
> 
> Thanks,
> 
> 
> Mike
> 
> "Vera Noest [MVP]"  wrote
> in message 
> news:Xns9703E4D00BE4Bveranoesthemutforsse@207.46.248.16... 
>> Yes, the method to achieve this is to use "loopback processing"
>> of your GPO with the "Replace" option .
>>
>> Create a separate OU, put your Terminal Server (but *not* the
>> user accounts!) in this OU.
>> Then link your restrictive GPO to the OU and configure loopback
>> processing. Restrictions will affect users when they logon to
>> the TS, but not when they logon to their PCs.
>> Oh, and make sure that Administrators are not restricted by the
>> GPO by choosing the "Deny" right for "Apply this GPO" in the
>> security settings of the GPO.
>>
>> 260370 - How to Apply Group Policy Objects to Terminal Services
>> Servers
>> http://support.microsoft.com/?kbid=260370
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "LRM"  wrote on 03 nov 2005 in
>> microsoft.public.windowsnt.terminalserver.setup:
>>
>>> Is there a way to apply user GPO to a user logged onto TS and
>>> not have it apply to the same user when logged onto their PC?
>>> I am setting up W2k3e sp1 TS, in a W2k3 domain with all
>>> desktops XP sp2. I cannot use mandatory profile because one of
>>> the applications needs to be able to save settings in the
>>> profile. I want to lock down the user environmetn as much as
>>> possible on the  TS, but on the local desktop I need them to
>>> have less restriction. Thanks in advance.
date: Sat, 26 Nov 2005 12:37:14 -0800   author:   Vera Noest [MVP]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us