Guest Avari Posted August 2, 2007 Posted August 2, 2007 I won't go into too much detail but due to the constant corruptions of the GPO's and mismanagement from other staff. I have decided to steer way from domain created GPO's. Can you please advise how I would achieve the same as GPO's but applied locally to my Terminal Server/Citrix servers. I want any users who belongs to a security group that is logging into my Terminal Servers/Citrix servers to apply a local policy to lock them down. There are numerous settings I want applied the most important ones are, users unable to see the local server drives and unable to access control panel. Many thanks
Guest Roger Abell [MVP] Posted August 2, 2007 Posted August 2, 2007 Re: Local GPO Prior to Windows Vista, machine local policy is only applied equally to all accounts logging into the system. Although there is a hack-ish workaround that provides for some limited variation, it is inflexible and painful to use. You would be much better off resolving the issues you did not detail so that use of AD based GPO is reliably available. Roger "Avari" <nospam@mail.co.uk> wrote in message news:5he756F3js6ttU1@mid.individual.net... >I won't go into too much detail but due to the constant corruptions of the >GPO's and mismanagement from other staff. I have decided to steer way from >domain created GPO's. > > Can you please advise how I would achieve the same as GPO's but applied > locally to my Terminal Server/Citrix servers. I want any users who > belongs to a security group that is logging into my Terminal > Servers/Citrix servers to apply a local policy to lock them down. There > are numerous settings I want applied the most important ones are, users > unable to see the local server drives and unable to access control panel. > > Many thanks > > > > >
Guest Avari Posted August 2, 2007 Posted August 2, 2007 Re: Local GPO I've had to stop the GPO running as the current problem is that LOOPBACK not being processed/applied. The Terminal Servers/Citrix servers are all located in a separate OU, with loopback enabled, the GPO works great but applies the policy to the users in the security group and to whatever system they login to. I have a pretty tight policy on the TS/Citrix server, but this is also being applied to their desktops, any guidance would be great to see what is stopping the loopback. I think that something applied at a root or site level is stopping the loopbacks. Thanks "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:ezLdVCR1HHA.1100@TK2MSFTNGP06.phx.gbl... > Prior to Windows Vista, machine local policy is only applied > equally to all accounts logging into the system. Although there > is a hack-ish workaround that provides for some limited variation, > it is inflexible and painful to use. > > You would be much better off resolving the issues you did not > detail so that use of AD based GPO is reliably available. > > Roger > > "Avari" <nospam@mail.co.uk> wrote in message > news:5he756F3js6ttU1@mid.individual.net... >>I won't go into too much detail but due to the constant corruptions of the >>GPO's and mismanagement from other staff. I have decided to steer way >>from domain created GPO's. >> >> Can you please advise how I would achieve the same as GPO's but applied >> locally to my Terminal Server/Citrix servers. I want any users who >> belongs to a security group that is logging into my Terminal >> Servers/Citrix servers to apply a local policy to lock them down. There >> are numerous settings I want applied the most important ones are, users >> unable to see the local server drives and unable to access control panel. >> >> Many thanks >> >> >> >> >> > >
Guest Roger Abell [MVP] Posted August 2, 2007 Posted August 2, 2007 Re: Local GPO It sounds as if the loopback GPO is linked at the wrong location. A normal pattern is Users in some U-OU TS servers in some TS-OU U-OU not a subOU of TS-OU One defines a GPO, linking it to TS-OU, set the GPO to apply both computer and user policies, in the computer section set the GPO to use loopback processing, and in the user section set the user policies that should be applied when users log into the computers in TS-OU (and only then). The loopback could be set to either replace or merge mode. The loopback GPO could be left at default security group filtering (so it would apply to any user logging into any machine in the TS-OU), or read/apply for Authenticated Users could be removed and replace by the machine in the TS-OU that should use the loopback GPO and the users for whom this should be done (i.e. one must filter for both the computer section and the user section). roger "Avari" <nospam@mail.co.uk> wrote in message news:5hefgvF3jr3vlU1@mid.individual.net... > I've had to stop the GPO running as the current problem is that LOOPBACK > not being processed/applied. > > The Terminal Servers/Citrix servers are all located in a separate OU, with > loopback enabled, the GPO works great but applies the policy to the users > in the security group and to whatever system they login to. > > I have a pretty tight policy on the TS/Citrix server, but this is also > being applied to their desktops, any guidance would be great to see what > is stopping the loopback. > > I think that something applied at a root or site level is stopping the > loopbacks. > > Thanks > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:ezLdVCR1HHA.1100@TK2MSFTNGP06.phx.gbl... >> Prior to Windows Vista, machine local policy is only applied >> equally to all accounts logging into the system. Although there >> is a hack-ish workaround that provides for some limited variation, >> it is inflexible and painful to use. >> >> You would be much better off resolving the issues you did not >> detail so that use of AD based GPO is reliably available. >> >> Roger >> >> "Avari" <nospam@mail.co.uk> wrote in message >> news:5he756F3js6ttU1@mid.individual.net... >>>I won't go into too much detail but due to the constant corruptions of >>>the GPO's and mismanagement from other staff. I have decided to steer >>>way from domain created GPO's. >>> >>> Can you please advise how I would achieve the same as GPO's but applied >>> locally to my Terminal Server/Citrix servers. I want any users who >>> belongs to a security group that is logging into my Terminal >>> Servers/Citrix servers to apply a local policy to lock them down. There >>> are numerous settings I want applied the most important ones are, users >>> unable to see the local server drives and unable to access control >>> panel. >>> >>> Many thanks >>> >>> >>> >>> >>> >> >> > >
Guest dsbrown10 Posted August 2, 2007 Posted August 2, 2007 Re: Local GPO On Aug 2, 5:53 pm, "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote: > It sounds as if the loopback GPO is linked at the wrong location. > A normal pattern is > Users in some U-OU > TS servers in some TS-OU > U-OU not a subOU of TS-OU > One defines a GPO, linking it to TS-OU, set the GPO to > apply both computer and user policies, in the computer > section set the GPO to use loopback processing, and in > the user section set the user policies that should be applied > when users log into the computers in TS-OU (and only then). > The loopback could be set to either replace or merge mode. > The loopback GPO could be left at default security group > filtering (so it would apply to any user logging into any > machine in the TS-OU), or read/apply for Authenticated > Users could be removed and replace by the machine in the > TS-OU that should use the loopback GPO and the users for > whom this should be done (i.e. one must filter for both the > computer section and the user section). > > roger > > "Avari" <nos...@mail.co.uk> wrote in message > > news:5hefgvF3jr3vlU1@mid.individual.net... > > > > > I've had to stop the GPO running as the current problem is that LOOPBACK > > not being processed/applied. > > > The Terminal Servers/Citrix servers are all located in a separate OU, with > > loopback enabled, the GPO works great but applies the policy to the users > > in the security group and to whatever system they login to. > > > I have a pretty tight policy on the TS/Citrix server, but this is also > > being applied to their desktops, any guidance would be great to see what > > is stopping the loopback. > > > I think that something applied at a root or site level is stopping the > > loopbacks. > > > Thanks > > > "Roger Abell [MVP]" <mvpNoS...@asu.edu> wrote in message > >news:ezLdVCR1HHA.1100@TK2MSFTNGP06.phx.gbl... > >> Prior to Windows Vista, machine local policy is only applied > >> equally to all accounts logging into the system. Although there > >> is a hack-ish workaround that provides for some limited variation, > >> it is inflexible and painful to use. > > >> You would be much better off resolving the issues you did not > >> detail so that use of AD based GPO is reliably available. > > >> Roger > > >> "Avari" <nos...@mail.co.uk> wrote in message > >>news:5he756F3js6ttU1@mid.individual.net... > >>>I won't go into too much detail but due to the constant corruptions of > >>>the GPO's and mismanagement from other staff. I have decided to steer > >>>way from domain created GPO's. > > >>> Can you please advise how I would achieve the same as GPO's but applied > >>> locally to my Terminal Server/Citrix servers. I want any users who > >>> belongs to a security group that is logging into my Terminal > >>> Servers/Citrix servers to apply a local policy to lock them down. There > >>> are numerous settings I want applied the most important ones are, users > >>> unable to see the local server drives and unable to access control > >>> panel. > > >>> Many thanks- Hide quoted text - > > - Show quoted text - hello avari. firstly i agree with roger that delegating control of your gpo's to solve the meddling is the way to go. as using local policies will become a headache when you get lots of servers to manage. a few things to note about local policies. they do not work with loopback. 99% sure of that. they have to be managed remotley, otherwise you will lock youself out. just put a ACL on the grouppolicy folder that does not contain any groups that administrators belong to. including special groups. like authentivated users etc. if your using 2003 the the "administrator" is not a member of everyone. i used to use local policies to lockdown windows 2000 machines in a NT domain (long time ago!). i created a policy that i was happy with. then copied it to Netlogon. then used robocopy to copy any changes to the local systemsat logon. worked fine. and the management was centralised. hope that helps dave
Recommended Posts