Jump to content

Applying Group Policy to few users on Terminal server that is a DC

Guest SDBolts

By Guest SDBolts
in Windows NT Server

 Share

Recommended Posts

Guest SDBolts

Guest SDBolts

Posted
Posted

Hello all,

 

I'm setting up a small office that will only have one server that will act

as a DC and the Terminal server. I want to lock down a group of users

terminal service desktop, to allow only two application they can use. Here

is my problem, I have found some articles that got me close.

http://support.microsoft.com/kb/260370 is one have got me the closest, but

when I use Method 2 of this article, it also locks down the Administrator's

desktop on both terminal and console desktops.

 

Here are the steps I have taken:

1. Created a new GPO (with all the User Configuration settings needed) on

the Domain Controller's OU

2. I enable the loopback processing (tried both merge and replace modes) on

that GPO

3. Then I add the DC's computer account to the GPO

 

This all works great, the Terminal session Desktops get complete locked

down. But is also locks down the administrators desktop on both terminal and

console sessions.

 

So trying to fix this, ...

 

4. I go into the properties of the GPO, click on security, then add the

administrators group, then give the Deny "Apply Group Policy" permission to

the administrators group.

 

This works but also disables the GPO for all users. So I can get the GPO

working for all accounts or for none of them. What am i doing wrong, i just

need this GPO to apply to a select group of users???

 

Thanks for your time and help,

--

Nick H. MCSE,CCNA

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest SDBolts

Guest SDBolts

Posted
Posted

RE: Applying Group Policy to few users on Terminal server that is a DC

 

Sorry by the way. Its a Windows 2003 Standard Server with SP3

--

Nick H. MCSE,CCNA

 

 

"SDBolts" wrote:

> Hello all,

>

> I'm setting up a small office that will only have one server that will act

> as a DC and the Terminal server. I want to lock down a group of users

> terminal service desktop, to allow only two application they can use. Here

> is my problem, I have found some articles that got me close.

> http://support.microsoft.com/kb/260370 is one have got me the closest, but

> when I use Method 2 of this article, it also locks down the Administrator's

> desktop on both terminal and console desktops.

>

> Here are the steps I have taken:

> 1. Created a new GPO (with all the User Configuration settings needed) on

> the Domain Controller's OU

> 2. I enable the loopback processing (tried both merge and replace modes) on

> that GPO

> 3. Then I add the DC's computer account to the GPO

>

> This all works great, the Terminal session Desktops get complete locked

> down. But is also locks down the administrators desktop on both terminal and

> console sessions.

>

> So trying to fix this, ...

>

> 4. I go into the properties of the GPO, click on security, then add the

> administrators group, then give the Deny "Apply Group Policy" permission to

> the administrators group.

>

> This works but also disables the GPO for all users. So I can get the GPO

> working for all accounts or for none of them. What am i doing wrong, i just

> need this GPO to apply to a select group of users???

>

> Thanks for your time and help,

> --

> Nick H. MCSE,CCNA

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Applying Group Policy to few users on Terminal server that is a DC

 

Are your users administators as well? It sounds like they are......

 

--

Jeff Pitsch

Microsoft MVP - Terminal Services

 

"SDBolts" <SDBolts@discussions.microsoft.com> wrote in message

news:40DA00D4-C128-432D-A79A-1A3C82D8E280@microsoft.com...

> Hello all,

>

> I'm setting up a small office that will only have one server that will act

> as a DC and the Terminal server. I want to lock down a group of users

> terminal service desktop, to allow only two application they can use.

> Here

> is my problem, I have found some articles that got me close.

> http://support.microsoft.com/kb/260370 is one have got me the closest, but

> when I use Method 2 of this article, it also locks down the

> Administrator's

> desktop on both terminal and console desktops.

>

> Here are the steps I have taken:

> 1. Created a new GPO (with all the User Configuration settings needed) on

> the Domain Controller's OU

> 2. I enable the loopback processing (tried both merge and replace modes)

> on

> that GPO

> 3. Then I add the DC's computer account to the GPO

>

> This all works great, the Terminal session Desktops get complete locked

> down. But is also locks down the administrators desktop on both terminal

> and

> console sessions.

>

> So trying to fix this, ...

>

> 4. I go into the properties of the GPO, click on security, then add the

> administrators group, then give the Deny "Apply Group Policy" permission

> to

> the administrators group.

>

> This works but also disables the GPO for all users. So I can get the GPO

> working for all accounts or for none of them. What am i doing wrong, i

> just

> need this GPO to apply to a select group of users???

>

> Thanks for your time and help,

> --

> Nick H. MCSE,CCNA

 Share
Go to topic listing
×
×
  • Create New...