Windows 2003 server standard edition Group Policy Object Editor bu

[Guest Valdas Adomaitis]

As it is known Windows 2003 Server comes with preinstalled Terminal Services

so you can use Remote Desktop for Administration. As I was reading manuals

and playing with configuration I came up to an interesting conclusion:

If you use group policy object editor to change a security policy from

default – set a tick on “Define these policy settings” and define something,

then you apply to save your settings, afterwards you UNSET “Define these

policy settings” tick and apply again the settings you made first STAYS, but

under the group policy object editor’s policy settings column it says “Not

Defined”.

IMHO if I unset “Define these policy settings” the object’s state should

return to default OR it should indicate that it is set to some – NOT default

value.

 

Here is what I did. By default on windows 2003 server running as DC security

policy setting for “Allow log on through Terminal Services” is :

Administrators.

I’ve put there Remote Desktop Users group,applied, ran gpupdate, tried to

connect through RDC using user’s account added to Remote Desktop Users group.

Unsucceeded and it’s o.k. But when I unset this tick on “Define these policy

setting s”,run gpupdate, I no longer can connect through RDC using

administrators credentials and policy object editor’s policy settings column

says “Not Defined”.

This keeps happening until I set “administrators” under “Allow log on

through terminal services” again, apply, run gpupdate. And then again I can

unset the tick under “Define these policy settings.”

Is it normal GPOE behavior? If so, how can I know what setting sare actually

applied before me if policy settings’ column says “Not defined”?

 

Regards,

Valdas Adomaitis

 

P.S. sorry if an offtopic

[Guest Vera Noest [MVP]]

Re: Windows 2003 server standard edition Group Policy Object Editor bu

 

I don't think that I agree with your conclusions, but I might

misunderstand what you have done.

 

As I see it, this is what happened:

 

* the default configuration for the policy setting "Logon through

TS" is: the setting is *defined*, with "Administrators" as the

default value.

* you modify the value, don't like the results, and you *disable*

the setting (by removing the checkmark in the "Define this policy

setting" check box)

* the setting is now *undefined*, which is different from the

default configuration, in which the setting was defined, giving

Administrators the Logon right.

 

So the proper way to undo your changes would have been to remove

the Remote Desktop users group from the setting, not change the

status of the setting.

 

Before making any changes to a GPO, you should export the existing

values and / or keep a record of the changes that you make, so that

you are able to properly undo your changes.

 

Note that if you implement changes with a security template and the

secedit command, you can actually save the existing settings with

the /generaterollback option

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?VmFsZGFzIEFkb21haXRpcw==?= <biesas_2000@yahoo.com> wrote

on 19 aug 2007 in microsoft.public.windows.terminal_services:

> As it is known Windows 2003 Server comes with preinstalled

> Terminal Services so you can use Remote Desktop for

> Administration. As I was reading manuals and playing with

> configuration I came up to an interesting conclusion: If you use

> group policy object editor to change a security policy from

> default – set a tick on “Define these policy settings” and

> define something, then you apply to save your settings,

> afterwards you UNSET “Define these policy settings” tick and

> apply again the settings you made first STAYS, but under the

> group policy object editor’s policy settings column it says

> “Not Defined”.

> IMHO if I unset “Define these policy settings” the

> object’s state should return to default OR it should indicate

> that it is set to some – NOT default value.

>

> Here is what I did. By default on windows 2003 server running as

> DC security policy setting for “Allow log on through Terminal

> Services” is : Administrators.

> I’ve put there Remote Desktop Users group,applied, ran

> gpupdate, tried to connect through RDC using user’s account

> added to Remote Desktop Users group. Unsucceeded and it’s o.k.

> But when I unset this tick on “Define these policy setting

> s”,run gpupdate, I no longer can connect through RDC using

> administrators credentials and policy object editor’s policy

> settings column says “Not Defined”.

> This keeps happening until I set “administrators” under

> “Allow log on through terminal services” again, apply, run

> gpupdate. And then again I can unset the tick under “Define

> these policy settings.” Is it normal GPOE behavior? If so, how

> can I know what setting sare actually applied before me if

> policy settings’ column says “Not defined”?

>

> Regards,

> Valdas Adomaitis

>

> P.S. sorry if an offtopic