Guest SDBolts Posted September 5, 2008 Posted September 5, 2008 Hello all, I'm setting up a small office that will only have one server that will act as a DC and the Terminal server. I want to lock down a group of users terminal service desktop, to allow only two application they can use. Here is my problem, I have found some articles that got me close. http://support.microsoft.com/kb/260370 is one have got me the closest, but when I use Method 2 of this article, it also locks down the Administrator's desktop on both terminal and console desktops. Here are the steps I have taken: 1. Created a new GPO (with all the User Configuration settings needed) on the Domain Controller's OU 2. I enable the loopback processing (tried both merge and replace modes) on that GPO 3. Then I add the DC's computer account to the GPO This all works great, the Terminal session Desktops get complete locked down. But is also locks down the administrators desktop on both terminal and console sessions. So trying to fix this, ... 4. I go into the properties of the GPO, click on security, then add the administrators group, then give the Deny "Apply Group Policy" permission to the administrators group. This works but also disables the GPO for all users. So I can get the GPO working for all accounts or for none of them. What am i doing wrong, i just need this GPO to apply to a select group of users??? Thanks for your time and help, -- Nick H. MCSE,CCNA
Guest SDBolts Posted September 5, 2008 Posted September 5, 2008 RE: Applying Group Policy to few users on Terminal server that is a DC Sorry by the way. Its a Windows 2003 Standard Server with SP3 -- Nick H. MCSE,CCNA "SDBolts" wrote: > Hello all, > > I'm setting up a small office that will only have one server that will act > as a DC and the Terminal server. I want to lock down a group of users > terminal service desktop, to allow only two application they can use. Here > is my problem, I have found some articles that got me close. > http://support.microsoft.com/kb/260370 is one have got me the closest, but > when I use Method 2 of this article, it also locks down the Administrator's > desktop on both terminal and console desktops. > > Here are the steps I have taken: > 1. Created a new GPO (with all the User Configuration settings needed) on > the Domain Controller's OU > 2. I enable the loopback processing (tried both merge and replace modes) on > that GPO > 3. Then I add the DC's computer account to the GPO > > This all works great, the Terminal session Desktops get complete locked > down. But is also locks down the administrators desktop on both terminal and > console sessions. > > So trying to fix this, ... > > 4. I go into the properties of the GPO, click on security, then add the > administrators group, then give the Deny "Apply Group Policy" permission to > the administrators group. > > This works but also disables the GPO for all users. So I can get the GPO > working for all accounts or for none of them. What am i doing wrong, i just > need this GPO to apply to a select group of users??? > > Thanks for your time and help, > -- > Nick H. MCSE,CCNA
Guest Jeff Pitsch Posted September 5, 2008 Posted September 5, 2008 Re: Applying Group Policy to few users on Terminal server that is a DC Are your users administators as well? It sounds like they are...... -- Jeff Pitsch Microsoft MVP - Terminal Services "SDBolts" <SDBolts@discussions.microsoft.com> wrote in message news:40DA00D4-C128-432D-A79A-1A3C82D8E280@microsoft.com... > Hello all, > > I'm setting up a small office that will only have one server that will act > as a DC and the Terminal server. I want to lock down a group of users > terminal service desktop, to allow only two application they can use. > Here > is my problem, I have found some articles that got me close. > http://support.microsoft.com/kb/260370 is one have got me the closest, but > when I use Method 2 of this article, it also locks down the > Administrator's > desktop on both terminal and console desktops. > > Here are the steps I have taken: > 1. Created a new GPO (with all the User Configuration settings needed) on > the Domain Controller's OU > 2. I enable the loopback processing (tried both merge and replace modes) > on > that GPO > 3. Then I add the DC's computer account to the GPO > > This all works great, the Terminal session Desktops get complete locked > down. But is also locks down the administrators desktop on both terminal > and > console sessions. > > So trying to fix this, ... > > 4. I go into the properties of the GPO, click on security, then add the > administrators group, then give the Deny "Apply Group Policy" permission > to > the administrators group. > > This works but also disables the GPO for all users. So I can get the GPO > working for all accounts or for none of them. What am i doing wrong, i > just > need this GPO to apply to a select group of users??? > > Thanks for your time and help, > -- > Nick H. MCSE,CCNA
Recommended Posts