Group Policy For Terminal Server

[Guest Rossco1981]

HI All

This is probably a straight forward problem but I am a bit stuck.

We have an OU for terminal servers which has the GPO appplied to it, to

restrcited various things (such as run box, control panel access, map drive

etc).

This works perfectly well when users log onto the server they can only do

the tasks we want them to do, however as the policy is applied at machine

level when we log on a administrator we also experience the same

restrictions. We cannot apply the policy at user level (as users are in many

places and use different computers/laptops etc). Is there a way to apply

the policy to everyone but Administrators? As we need to use terminal

services manager, need to be able to see event viewer etc. Could we apply

the GPO to a group that admin is not a member of?

Any ideas would be welcomed.

Thanks

[Guest Vera Noest [MVP]]

Re: Group Policy For Terminal Server

 

Absolutely! This should help:

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?Um9zc2NvMTk4MQ==?=

<Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:

> HI All

> This is probably a straight forward problem but I am a bit

> stuck. We have an OU for terminal servers which has the GPO

> appplied to it, to restrcited various things (such as run box,

> control panel access, map drive etc).

> This works perfectly well when users log onto the server they

> can only do the tasks we want them to do, however as the policy

> is applied at machine level when we log on a administrator we

> also experience the same restrictions. We cannot apply the

> policy at user level (as users are in many

> places and use different computers/laptops etc). Is there a

> way to apply

> the policy to everyone but Administrators? As we need to use

> terminal services manager, need to be able to see event viewer

> etc. Could we apply the GPO to a group that admin is not a

> member of? Any ideas would be welcomed.

> Thanks

[Guest Rossco1981]

Re: Group Policy For Terminal Server

 

Thanks works very well

 

"Vera Noest [MVP]" wrote:

> Absolutely! This should help:

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?Um9zc2NvMTk4MQ==?=

> <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:

>

> > HI All

> > This is probably a straight forward problem but I am a bit

> > stuck. We have an OU for terminal servers which has the GPO

> > appplied to it, to restrcited various things (such as run box,

> > control panel access, map drive etc).

> > This works perfectly well when users log onto the server they

> > can only do the tasks we want them to do, however as the policy

> > is applied at machine level when we log on a administrator we

> > also experience the same restrictions. We cannot apply the

> > policy at user level (as users are in many

> > places and use different computers/laptops etc). Is there a

> > way to apply

> > the policy to everyone but Administrators? As we need to use

> > terminal services manager, need to be able to see event viewer

> > etc. Could we apply the GPO to a group that admin is not a

> > member of? Any ideas would be welcomed.

> > Thanks

>

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

This was something I was dealing with too. However I have the Group Policy

Management tool installed so that GPO tab does not work. In the GPM Tool

there is no similar permissions that I could find apart from the Deligation

Tab when the GPO is selected. I was afraid to remove the Domain Admins from

there (there is no "deny" option) because I was afraid I would lock myself

out of the abiltity to edit or remove the Policy afterwards.

 

I don't want the policy to apply when a Domain Admin connects to the

Terminal Server, but I don't want to lock the Domain Admins out of being

able to alter or remove the policy when trying to administer policies.

 

So currently I am leaving the policy unlinked and unused at all and the TS

is running pretty much straight without any GPO mods.

 

Can you shed some light on that.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

 

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

news:Xns999385A36BAC5veranoesthemutforsse@207.46.248.16...

> Absolutely! This should help:

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?Um9zc2NvMTk4MQ==?=

> <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:

>

>> HI All

>> This is probably a straight forward problem but I am a bit

>> stuck. We have an OU for terminal servers which has the GPO

>> appplied to it, to restrcited various things (such as run box,

>> control panel access, map drive etc).

>> This works perfectly well when users log onto the server they

>> can only do the tasks we want them to do, however as the policy

>> is applied at machine level when we log on a administrator we

>> also experience the same restrictions. We cannot apply the

>> policy at user level (as users are in many

>> places and use different computers/laptops etc). Is there a

>> way to apply

>> the policy to everyone but Administrators? As we need to use

>> terminal services manager, need to be able to see event viewer

>> etc. Could we apply the GPO to a group that admin is not a

>> member of? Any ideas would be welcomed.

>> Thanks

[Guest Jeff]

Re: Group Policy For Terminal Server

 

In the Group Policy Management tool, once you go into the Group Policies for

an OU you will notice on the left a listing of your OU's. if you look under

the OU this applies to you will see a listing of the GPO's. you can

right-click on it there and go into the Properties of the actual GPO, then

select the "Applies to..." part. unless i have misunderstood what you are

looking for.

 

"Phillip Windell" wrote:

> This was something I was dealing with too. However I have the Group Policy

> Management tool installed so that GPO tab does not work. In the GPM Tool

> there is no similar permissions that I could find apart from the Deligation

> Tab when the GPO is selected. I was afraid to remove the Domain Admins from

> there (there is no "deny" option) because I was afraid I would lock myself

> out of the abiltity to edit or remove the Policy afterwards.

>

> I don't want the policy to apply when a Domain Admin connects to the

> Terminal Server, but I don't want to lock the Domain Admins out of being

> able to alter or remove the policy when trying to administer policies.

>

> So currently I am leaving the policy unlinked and unused at all and the TS

> is running pretty much straight without any GPO mods.

>

> Can you shed some light on that.

>

>

> --

> Phillip Windell

> http://www.wandtv.com

>

> The views expressed, are my own and not those of my employer, or Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

>

> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

> news:Xns999385A36BAC5veranoesthemutforsse@207.46.248.16...

> > Absolutely! This should help:

> >

> > 816100 - How To Prevent Domain Group Policies from Applying to

> > Administrator Accounts and Selected Users in Windows Server 2003

> > http://support.microsoft.com/?kbid=816100

> >

> > _________________________________________________________

> > Vera Noest

> > MCSE, CCEA, Microsoft MVP - Terminal Server

> > TS troubleshooting: http://ts.veranoest.net

> > *----------- Please reply in newsgroup -------------*

> >

> > =?Utf-8?B?Um9zc2NvMTk4MQ==?=

> > <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:

> >

> >> HI All

> >> This is probably a straight forward problem but I am a bit

> >> stuck. We have an OU for terminal servers which has the GPO

> >> appplied to it, to restrcited various things (such as run box,

> >> control panel access, map drive etc).

> >> This works perfectly well when users log onto the server they

> >> can only do the tasks we want them to do, however as the policy

> >> is applied at machine level when we log on a administrator we

> >> also experience the same restrictions. We cannot apply the

> >> policy at user level (as users are in many

> >> places and use different computers/laptops etc). Is there a

> >> way to apply

> >> the policy to everyone but Administrators? As we need to use

> >> terminal services manager, need to be able to see event viewer

> >> etc. Could we apply the GPO to a group that admin is not a

> >> member of? Any ideas would be welcomed.

> >> Thanks

>

>

>

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

 

"Jeff" <Jeff@discussions.microsoft.com> wrote in message

news:5D066B5C-AA5A-4286-A61B-53B83B4F1F3D@microsoft.com...

> In the Group Policy Management tool, once you go into the Group Policies

> for

> an OU you will notice on the left a listing of your OU's. if you look

> under

> the OU this applies to you will see a listing of the GPO's. you can

> right-click on it there and go into the Properties of the actual GPO, then

> select the "Applies to..." part. unless i have misunderstood what you are

> looking for.

 

In the Group Policy Management tool the GPOs are listed in a section by

themselves at the bottom. Inside the OUs is just a "shortcut" that serves

as a "marker" for where the policy is linked.

 

There is no "Applies to.." in either one of those places. There isn't even

a Properties.

It does activate the right side Window which has a "Security Filtering"

under the "Scope Tab", and there is a Delegation Tab. I'm not entirely sure

of the specific impact of whatever I do in those, so I am reluctant to mess

with it till I know for sure. It doesn't look like there is a way to do a

explicit Deny,..only an implied Deny by not including them in the list.

 

The problem is that if I use a User Group *and* the TS Machine it doesn't

treat them as a combination but applies to each separately,..so it applies

to the user no matter what machine they are on and at the same time applies

to any user on the TS Machine. What I need is it to only apply on the TS box

and not apply the Domain Admins when on the TS box.

 

The TS box is in a OU with other machines,..I need to keep it there,..I

don't want to move it into its own OU unless there is just absolutely no

other way.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

I may be able to overcome this by how I create and arrange my user groups

for the TS users. I'll take a closer look at that later today.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Helge Klein]

Re: Group Policy For Terminal Server

 

Answers inline.

 

I hope this helps.

 

Helge

 

On 22 Aug., 01:28, "Phillip Windell" <philwind...@hotmail.com> wrote:

> "Jeff" <J...@discussions.microsoft.com> wrote in message

>

> news:5D066B5C-AA5A-4286-A61B-53B83B4F1F3D@microsoft.com...

>

> > In the Group Policy Management tool, once you go into the Group Policies

> > for

> > an OU you will notice on the left a listing of your OU's. if you look

> > under

> > the OU this applies to you will see a listing of the GPO's. you can

> > right-click on it there and go into the Properties of the actual GPO, then

> > select the "Applies to..." part. unless i have misunderstood what you are

> > looking for.

>

> In the Group Policy Management tool the GPOs are listed in a section by

> themselves at the bottom. Inside the OUs is just a "shortcut" that serves

> as a "marker" for where the policy is linked.

 

Although that is correct, it is irrelevant to the tasks at hand.

>

> There is no "Applies to.." in either one of those places. There isn't even

> a Properties.

> It does activate the right side Window which has a "Security Filtering"

> under the "Scope Tab", and there is a Delegation Tab. I'm not entirely sure

> of the specific impact of whatever I do in those, so I am reluctant to mess

> with it till I know for sure. It doesn't look like there is a way to do a

> explicit Deny,..only an implied Deny by not including them in the list.

 

Use the tab "Scope" and there the section "Security Filtering". If you

add user/group/computer objects there, the GPO will be applied to

exactly the objects you selected.

 

Some hints:

 

1) The entries listed unter "Security Filtering" actually show a

subset of the permissions that are set on the GPO, namely those

objects the GPO applies to (those which have the permissions to "Read"

and "Apply" the GPO).

 

2) You cannot use the section "Security Filtering" to set an ACE to

access denied. For that you need the tab "Delegation".

 

3) There is no "implied deny". Setting an access denied ACE works by

going to the "Security Filtering" tab, selecting an entry an then

clicking on "Properites" near the bottom.

 

4) If you want a GPO to apply only to a single computer then add the

computer account to the list in "Security Filtering" and make sure

nothing else is on the list.

>

> The problem is that if I use a User Group *and* the TS Machine it doesn't

> treat them as a combination but applies to each separately,..so it applies

> to the user no matter what machine they are on and at the same time applies

> to any user on the TS Machine. What I need is it to only apply on the TS box

> and not apply the Domain Admins when on the TS box.

 

You might want to have a look at loopback processing mode which is

used for most terminal servers.

>

> The TS box is in a OU with other machines,..I need to keep it there,..I

> don't want to move it into its own OU unless there is just absolutely no

> other way.

 

See above: security filtering by machine object.

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

Thank, you for the reply, Helge,

 

"Helge Klein" <Helge.Klein@googlemail.com> wrote in message

news:1187810084.544734.241730@i38g2000prf.googlegroups.com...

> Use the tab "Scope" and there the section "Security Filtering". If you

> add user/group/computer objects there, the GPO will be applied to

> exactly the objects you selected.

 

That is what I do. GPOs are linked in at the top of the Domain, I then

control to what GPOs applies via entries in the Scope Tab-->Security

Filtering,... rather than create a messy complex OU tree.

> 1) The entries listed unter "Security Filtering" actually show a

> subset of the permissions that are set on the GPO, namely those

> objects the GPO applies to (those which have the permissions to "Read"

> and "Apply" the GPO).

 

The only options when right-clicking on an object in the Security Filtering

is "Remove" and "Properties". That is where the problem is. The properties

is the Properties of the item itself, it is not Properties of the access

relationship to the GPO. In other words if the object is a Group I can add

users to the group or add the group to another group.

> 2) You cannot use the section "Security Filtering" to set an ACE to

> access denied. For that you need the tab "Delegation".

 

But what does Deligation actually effect? Does removing someone from

Deligation mean the GPO simply does not apply to them,...or does it mean

that the removed Person can not go into ADUC or the GPM and "manage" the

GPO?

> 3) There is no "implied deny". Setting an access denied ACE works by

> going to the "Security Filtering" tab, selecting an entry an then

> clicking on "Properites" near the bottom.

 

See my response to #1

> 4) If you want a GPO to apply only to a single computer then add the

> computer account to the list in "Security Filtering" and make sure

> nothing else is on the list.

 

I do put the TS machine in there,...the problem is that it will apply to all

users who log on to the machine,..I don't want that,..I do not want it to

apply to Domain Admins.

> You might want to have a look at loopback processing mode which is

> used for most terminal servers.

 

Do you have an example of that?

I have never used loopback processing.

I don't even know where to start, or what you can do or not do with it.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Helge Klein]

Re: Group Policy For Terminal Server

 

I hope I can clarify things a litte with this post.

 

1) Information on Loopback Processing

 

Loopback processing of Group Policy

http://support.microsoft.com/?scid=kb%3Ben-us%3B231287&x=19&y=23

 

Locking Down Windows Server 2003 Terminal Server Sessions

http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

 

2) GPMC: "Security Filtering" versus "Delegation"

 

Like most objects GPOs have an ACL associated with them. This ACL is

relatively complex and controls several things at once:

 

- Who can "see" the GPO

- Who can edit the settings in the GPO

- Who the GPO applies to

- ...

 

In the tab "Delegation" you see the full contents of the ACL,

containing both the entries (ACEs) for the objects the GPO applies to

(again: read and apply are needed for this - if those two are set the

ACE appears on "Security Filtering") and other ACEs related to

managing the GPO.

 

That means:

 

If you go to "Delegation", add an ACE and give the rights read and

apply GPO then this is exactly the same as adding an object via

"Security Filtering" - check it out yourself!

 

In other words: "Security Filtering" is a shortcut (designed to reduce

complexity) for adding an ACE to the GPO with the two rights read and

apply GPO. That is why its GUI is so limited. If you want the full

picture, go to "Delegation".

 

I recommend you play around with the security settings to get a

feeling for how they work in the GPMC.

 

I hope this helps.

 

Helge

 

On 22 Aug., 22:28, "Phillip Windell" <philwind...@hotmail.com> wrote:

> Thank, you for the reply, Helge,

>

> "Helge Klein" <Helge.Kl...@googlemail.com> wrote in message

>

> news:1187810084.544734.241730@i38g2000prf.googlegroups.com...

>

> > Use the tab "Scope" and there the section "Security Filtering". If you

> > add user/group/computer objects there, the GPO will be applied to

> > exactly the objects you selected.

>

> That is what I do. GPOs are linked in at the top of the Domain, I then

> control to what GPOs applies via entries in the Scope Tab-->Security

> Filtering,... rather than create a messy complex OU tree.

>

> > 1) The entries listed unter "Security Filtering" actually show a

> > subset of the permissions that are set on the GPO, namely those

> > objects the GPO applies to (those which have the permissions to "Read"

> > and "Apply" the GPO).

>

> The only options when right-clicking on an object in the Security Filtering

> is "Remove" and "Properties". That is where the problem is. The properties

> is the Properties of the item itself, it is not Properties of the access

> relationship to the GPO. In other words if the object is a Group I can add

> users to the group or add the group to another group.

>

> > 2) You cannot use the section "Security Filtering" to set an ACE to

> > access denied. For that you need the tab "Delegation".

>

> But what does Deligation actually effect? Does removing someone from

> Deligation mean the GPO simply does not apply to them,...or does it mean

> that the removed Person can not go into ADUC or the GPM and "manage" the

> GPO?

>

> > 3) There is no "implied deny". Setting an access denied ACE works by

> > going to the "Security Filtering" tab, selecting an entry an then

> > clicking on "Properites" near the bottom.

>

> See my response to #1

>

> > 4) If you want a GPO to apply only to a single computer then add the

> > computer account to the list in "Security Filtering" and make sure

> > nothing else is on the list.

>

> I do put the TS machine in there,...the problem is that it will apply to all

> users who log on to the machine,..I don't want that,..I do not want it to

> apply to Domain Admins.

>

> > You might want to have a look at loopback processing mode which is

> > used for most terminal servers.

>

> Do you have an example of that?

> I have never used loopback processing.

> I don't even know where to start, or what you can do or not do with it.

>

> --

> Phillip Windellwww.wandtv.com

>

> The views expressed, are my own and not those of my employer, or Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

Ok, I'll look into it some more tomorrow afternoon,..today was too busy to

do anything.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Patrick Rouse]

Re: Group Policy For Terminal Server

 

These are probably a bit easier to read and step by step:

 

http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

 

http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

 

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

Provision Networks VIP

Citrix Technology Professional

President - Session Computing Solutions, LLC

http://www.sessioncomputing.com

 

 

 

"Helge Klein" wrote:

> I hope I can clarify things a litte with this post.

>

> 1) Information on Loopback Processing

>

> Loopback processing of Group Policy

> http://support.microsoft.com/?scid=kb%3Ben-us%3B231287&x=19&y=23

>

> Locking Down Windows Server 2003 Terminal Server Sessions

> http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

>

> 2) GPMC: "Security Filtering" versus "Delegation"

>

> Like most objects GPOs have an ACL associated with them. This ACL is

> relatively complex and controls several things at once:

>

> - Who can "see" the GPO

> - Who can edit the settings in the GPO

> - Who the GPO applies to

> - ...

>

> In the tab "Delegation" you see the full contents of the ACL,

> containing both the entries (ACEs) for the objects the GPO applies to

> (again: read and apply are needed for this - if those two are set the

> ACE appears on "Security Filtering") and other ACEs related to

> managing the GPO.

>

> That means:

>

> If you go to "Delegation", add an ACE and give the rights read and

> apply GPO then this is exactly the same as adding an object via

> "Security Filtering" - check it out yourself!

>

> In other words: "Security Filtering" is a shortcut (designed to reduce

> complexity) for adding an ACE to the GPO with the two rights read and

> apply GPO. That is why its GUI is so limited. If you want the full

> picture, go to "Delegation".

>

> I recommend you play around with the security settings to get a

> feeling for how they work in the GPMC.

>

> I hope this helps.

>

> Helge

>

> On 22 Aug., 22:28, "Phillip Windell" <philwind...@hotmail.com> wrote:

> > Thank, you for the reply, Helge,

> >

> > "Helge Klein" <Helge.Kl...@googlemail.com> wrote in message

> >

> > news:1187810084.544734.241730@i38g2000prf.googlegroups.com...

> >

> > > Use the tab "Scope" and there the section "Security Filtering". If you

> > > add user/group/computer objects there, the GPO will be applied to

> > > exactly the objects you selected.

> >

> > That is what I do. GPOs are linked in at the top of the Domain, I then

> > control to what GPOs applies via entries in the Scope Tab-->Security

> > Filtering,... rather than create a messy complex OU tree.

> >

> > > 1) The entries listed unter "Security Filtering" actually show a

> > > subset of the permissions that are set on the GPO, namely those

> > > objects the GPO applies to (those which have the permissions to "Read"

> > > and "Apply" the GPO).

> >

> > The only options when right-clicking on an object in the Security Filtering

> > is "Remove" and "Properties". That is where the problem is. The properties

> > is the Properties of the item itself, it is not Properties of the access

> > relationship to the GPO. In other words if the object is a Group I can add

> > users to the group or add the group to another group.

> >

> > > 2) You cannot use the section "Security Filtering" to set an ACE to

> > > access denied. For that you need the tab "Delegation".

> >

> > But what does Deligation actually effect? Does removing someone from

> > Deligation mean the GPO simply does not apply to them,...or does it mean

> > that the removed Person can not go into ADUC or the GPM and "manage" the

> > GPO?

> >

> > > 3) There is no "implied deny". Setting an access denied ACE works by

> > > going to the "Security Filtering" tab, selecting an entry an then

> > > clicking on "Properites" near the bottom.

> >

> > See my response to #1

> >

> > > 4) If you want a GPO to apply only to a single computer then add the

> > > computer account to the list in "Security Filtering" and make sure

> > > nothing else is on the list.

> >

> > I do put the TS machine in there,...the problem is that it will apply to all

> > users who log on to the machine,..I don't want that,..I do not want it to

> > apply to Domain Admins.

> >

> > > You might want to have a look at loopback processing mode which is

> > > used for most terminal servers.

> >

> > Do you have an example of that?

> > I have never used loopback processing.

> > I don't even know where to start, or what you can do or not do with it.

> >

> > --

> > Phillip Windellwww.wandtv.com

> >

> > The views expressed, are my own and not those of my employer, or Microsoft,

> > or anyone else associated with me, including my cats.

> > -----------------------------------------------------

>

>

>

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

"Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message

news:626F3C80-60F6-465B-B49D-08484BFC925D@microsoft.com...

> These are probably a bit easier to read and step by step:

>

> http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

>

> http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

 

Thanks Patrick,

 

I think I have it working according to how Helge described (thanks Helge),

it just took me a while to get it straight in my head how it worked. But

I'll check those out, I'm sure I'll be doing more with this later.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Helge Klein]

Re: Group Policy For Terminal Server

 

Thanks for your feedback. It is good to hear that things work for you

now.

 

Helge

 

On 24 Aug., 00:00, "Phillip Windell" <philwind...@hotmail.com> wrote:

> "Patrick Rouse" <PatrickRo...@discussions.microsoft.com> wrote in message

>

> news:626F3C80-60F6-465B-B49D-08484BFC925D@microsoft.com...

>

> > These are probably a bit easier to read and step by step:

>

> >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...

>

> >http://www.msterminalservices.org/articles/Managing-Terminal-Services...

>

> Thanks Patrick,

>

> I think I have it working according to how Helge described (thanks Helge),

> it just took me a while to get it straight in my head how it worked. But

> I'll check those out, I'm sure I'll be doing more with this later.

>

> --

> Phillip Windellwww.wandtv.com

>

> The views expressed, are my own and not those of my employer, or Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

[Guest Phillip Windell]

Re: Group Policy For Terminal Server

 

"Helge Klein" <Helge.Klein@googlemail.com> wrote in message

news:1187948595.180807.222630@q5g2000prf.googlegroups.com...

> Thanks for your feedback. It is good to hear that things work for you

> now.

 

Unfortuneately it still does't work. I had to give up on the whole thing

and start over. I now created a User Group of TS users that does not

include Domain Admins. I then gave the group permission to the GPO.

 

Now it does not even get applied. Running GPRESULT on the TS box shows that

the GPO does not get applied. Right now I can't remember if it was due to

"Filterd out" or Denied".

 

I'm really tired of messing with it right now and am going to shelve it for

later. The users already know to never shut it down and they have been

pretty good about it.

 

But thank you very much for trying to help out with it.

 

--

Phillip Windell

http://www.wandtv.com