Guest wideye Posted September 19, 2007 Posted September 19, 2007 Hello, I'm setting up a dedicated Terminal Server and I have a question regarding local group policies in Windows Server 2003. Is there a way to apply group policies to all user profiles aside from Administrator? Obviously I want certain restrictions for user profiles that need not apply to the administrative profile (Example: disabling access to the control panel). Is there a way to specify which users GP's apply to? Thanks,
Guest Floris van Haaster Posted September 19, 2007 Posted September 19, 2007 Re: Server 2003 Group Policies - Affecting Administrative Profile You can create some OU's like: Sales Support etc... then add the users/computers to the ou's. And then create and attach GPO's to OU's. A handy thing to use then is the Group Policy Management Console: http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en Best regards Floris van Haaster "wideye" <dstubbs@meterskid.com> wrote in message news:1190207712.804498.241480@k79g2000hse.googlegroups.com... > Hello, > I'm setting up a dedicated Terminal Server and I have a question > regarding local group policies in Windows Server 2003. Is there a way > to apply group policies to all user profiles aside from Administrator? > Obviously I want certain restrictions for user profiles that need not > apply to the administrative profile (Example: disabling access to the > control panel). Is there a way to specify which users GP's apply to? > > Thanks, >
Guest wideye Posted September 19, 2007 Posted September 19, 2007 Re: Server 2003 Group Policies - Affecting Administrative Profile On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl> wrote: > You can create some OU's like: > > Sales > Support > > etc... then add the users/computers to the ou's. > And then create and attach GPO's to OU's. > > A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A... > > Best regards > > Floris van Haaster Let me step back and provide a bit more detailed information because I don't think my question was clearly conveyed. In our organization all users have one account. This one account authenticates local "in office" logins as well as remote logins. However, the GP for remote logins needs to be more restrictive then the GP for local logins. So the question is how can I have one account and two different GP's (i.e. one GP for remote logins and one GP for local logins)? Thanks! > > "wideye" <dstu...@meterskid.com> wrote in message > > news:1190207712.804498.241480@k79g2000hse.googlegroups.com... > > > Hello, > > I'm setting up a dedicated Terminal Server and I have a question > > regarding local group policies in Windows Server 2003. Is there a way > > to apply group policies to all user profiles aside from Administrator? > > Obviously I want certain restrictions for user profiles that need not > > apply to the administrative profile (Example: disabling access to the > > control panel). Is there a way to specify which users GP's apply to? > > > Thanks,
Guest Johan Strange Posted September 19, 2007 Posted September 19, 2007 Re: Server 2003 Group Policies - Affecting Administrative Profile If you mean that a user logs onto a PC on the domain and also logs onto a TS (which needs to be more secure) then the answer is to place the TS into its own OU and apply a policy to the OU. This will not apply to the user when he logs onto his PC locally. To prevernt the GPO applying to an Admin account then remove the apply group policy right. If I was you I would remove TS Access rights from the Administrator account for any public facing TS... instead create a seperate account for Administrator over RDP. Hope I have understood you. I was not sure if you meant a user logs onto the TS locally and also remotely requiring differnent policies ? BRGDS Johan "wideye" wrote: > On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl> > wrote: > > You can create some OU's like: > > > > Sales > > Support > > > > etc... then add the users/computers to the ou's. > > And then create and attach GPO's to OU's. > > > > A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A... > > > > Best regards > > > > Floris van Haaster > > > Let me step back and provide a bit more detailed information because I > don't think my question was clearly conveyed. In our organization all > users have one account. This one account authenticates local "in > office" logins as well as remote logins. However, the GP for remote > logins needs to be more restrictive then the GP for local logins. So > the question is how can I have one account and two different GP's > (i.e. one GP for remote logins and one GP for local logins)? > > Thanks! > > > > > > > "wideye" <dstu...@meterskid.com> wrote in message > > > > news:1190207712.804498.241480@k79g2000hse.googlegroups.com... > > > > > Hello, > > > I'm setting up a dedicated Terminal Server and I have a question > > > regarding local group policies in Windows Server 2003. Is there a way > > > to apply group policies to all user profiles aside from Administrator? > > > Obviously I want certain restrictions for user profiles that need not > > > apply to the administrative profile (Example: disabling access to the > > > control panel). Is there a way to specify which users GP's apply to? > > > > > Thanks, > > >
Guest wideye Posted September 19, 2007 Posted September 19, 2007 Re: Server 2003 Group Policies - Affecting Administrative Profile On Sep 19, 1:44 pm, Johan Strange <JohanStra...@discussions.microsoft.com> wrote: > If you mean that a user logs onto a PC on the domain and also logs onto a TS > (which needs to be more secure) then the answer is to place the TS into its > own OU and apply a policy to the OU. This will not apply to the user when he > logs onto his PC locally. To prevernt the GPO applying to an Admin account > then remove the apply group policy right. > > If I was you I would remove TS Access rights from the Administrator account > for any public facing TS... instead create a seperate account for > Administrator over RDP. > > Hope I have understood you. I was not sure if you meant a user logs onto the > TS locally and also remotely requiring differnent policies ? > > BRGDS > > Johan > > "wideye" wrote: > > On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl> > > wrote: > > > You can create some OU's like: > > > > Sales > > > Support > > > > etc... then add the users/computers to the ou's. > > > And then create and attach GPO's to OU's. > > > > A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A... > > > > Best regards > > > > Floris van Haaster > > > Let me step back and provide a bit more detailed information because I > > don't think my question was clearly conveyed. In our organization all > > users have one account. This one account authenticates local "in > > office" logins as well as remote logins. However, the GP for remote > > logins needs to be more restrictive then the GP for local logins. So > > the question is how can I have one account and two different GP's > > (i.e. one GP for remote logins and one GP for local logins)? > > > Thanks! > > > > "wideye" <dstu...@meterskid.com> wrote in message > > > >news:1190207712.804498.241480@k79g2000hse.googlegroups.com... > > > > > Hello, > > > > I'm setting up a dedicated Terminal Server and I have a question > > > > regarding local group policies in Windows Server 2003. Is there a way > > > > to apply group policies to all user profiles aside from Administrator? > > > > Obviously I want certain restrictions for user profiles that need not > > > > apply to the administrative profile (Example: disabling access to the > > > > control panel). Is there a way to specify which users GP's apply to? > > > > > Thanks, Jordon, Thanks for the prompt feedback! Our users sometimes work in the office and sometimes work from home - I would like to have a GP for "in office" access and a different GP for "remote" access. Currently, I have OU's "siteA" and "siteB" and GP's for each OU. However, I don't understand how I can have a TS OU and GP for users that already exist in the "siteA" or "siteB" OU's. Thanks again for the help.
Recommended Posts