Jump to content

Server 2003 Group Policies - Affecting Administrative Profile

Guest wideye

By Guest wideye
in Windows 2003 Server

 Share

Recommended Posts

Guest wideye

Guest wideye

Posted
Posted

Hello,

I'm setting up a dedicated Terminal Server and I have a question

regarding local group policies in Windows Server 2003. Is there a way

to apply group policies to all user profiles aside from Administrator?

Obviously I want certain restrictions for user profiles that need not

apply to the administrative profile (Example: disabling access to the

control panel). Is there a way to specify which users GP's apply to?

 

Thanks,

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Floris van Haaster

Guest Floris van Haaster

Posted
Posted

Re: Server 2003 Group Policies - Affecting Administrative Profile

 

You can create some OU's like:

 

Sales

Support

 

etc... then add the users/computers to the ou's.

And then create and attach GPO's to OU's.

 

A handy thing to use then is the Group Policy Management Console:

http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

 

Best regards

 

Floris van Haaster

 

"wideye" <dstubbs@meterskid.com> wrote in message

news:1190207712.804498.241480@k79g2000hse.googlegroups.com...

> Hello,

> I'm setting up a dedicated Terminal Server and I have a question

> regarding local group policies in Windows Server 2003. Is there a way

> to apply group policies to all user profiles aside from Administrator?

> Obviously I want certain restrictions for user profiles that need not

> apply to the administrative profile (Example: disabling access to the

> control panel). Is there a way to specify which users GP's apply to?

>

> Thanks,

>

Guest wideye

Guest wideye

Posted
Posted

Re: Server 2003 Group Policies - Affecting Administrative Profile

 

On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl>

wrote:

> You can create some OU's like:

>

> Sales

> Support

>

> etc... then add the users/computers to the ou's.

> And then create and attach GPO's to OU's.

>

> A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A...

>

> Best regards

>

> Floris van Haaster

 

 

Let me step back and provide a bit more detailed information because I

don't think my question was clearly conveyed. In our organization all

users have one account. This one account authenticates local "in

office" logins as well as remote logins. However, the GP for remote

logins needs to be more restrictive then the GP for local logins. So

the question is how can I have one account and two different GP's

(i.e. one GP for remote logins and one GP for local logins)?

 

Thanks!

 

 

>

> "wideye" <dstu...@meterskid.com> wrote in message

>

> news:1190207712.804498.241480@k79g2000hse.googlegroups.com...

>

> > Hello,

> > I'm setting up a dedicated Terminal Server and I have a question

> > regarding local group policies in Windows Server 2003. Is there a way

> > to apply group policies to all user profiles aside from Administrator?

> > Obviously I want certain restrictions for user profiles that need not

> > apply to the administrative profile (Example: disabling access to the

> > control panel). Is there a way to specify which users GP's apply to?

>

> > Thanks,

Guest Johan Strange

Guest Johan Strange

Posted
Posted

Re: Server 2003 Group Policies - Affecting Administrative Profile

 

If you mean that a user logs onto a PC on the domain and also logs onto a TS

(which needs to be more secure) then the answer is to place the TS into its

own OU and apply a policy to the OU. This will not apply to the user when he

logs onto his PC locally. To prevernt the GPO applying to an Admin account

then remove the apply group policy right.

 

If I was you I would remove TS Access rights from the Administrator account

for any public facing TS... instead create a seperate account for

Administrator over RDP.

 

Hope I have understood you. I was not sure if you meant a user logs onto the

TS locally and also remotely requiring differnent policies ?

 

BRGDS

 

Johan

 

"wideye" wrote:

> On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl>

> wrote:

> > You can create some OU's like:

> >

> > Sales

> > Support

> >

> > etc... then add the users/computers to the ou's.

> > And then create and attach GPO's to OU's.

> >

> > A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A...

> >

> > Best regards

> >

> > Floris van Haaster

>

>

> Let me step back and provide a bit more detailed information because I

> don't think my question was clearly conveyed. In our organization all

> users have one account. This one account authenticates local "in

> office" logins as well as remote logins. However, the GP for remote

> logins needs to be more restrictive then the GP for local logins. So

> the question is how can I have one account and two different GP's

> (i.e. one GP for remote logins and one GP for local logins)?

>

> Thanks!

>

>

>

> >

> > "wideye" <dstu...@meterskid.com> wrote in message

> >

> > news:1190207712.804498.241480@k79g2000hse.googlegroups.com...

> >

> > > Hello,

> > > I'm setting up a dedicated Terminal Server and I have a question

> > > regarding local group policies in Windows Server 2003. Is there a way

> > > to apply group policies to all user profiles aside from Administrator?

> > > Obviously I want certain restrictions for user profiles that need not

> > > apply to the administrative profile (Example: disabling access to the

> > > control panel). Is there a way to specify which users GP's apply to?

> >

> > > Thanks,

>

>

>

Guest wideye

Guest wideye

Posted
Posted

Re: Server 2003 Group Policies - Affecting Administrative Profile

 

On Sep 19, 1:44 pm, Johan Strange

<JohanStra...@discussions.microsoft.com> wrote:

> If you mean that a user logs onto a PC on the domain and also logs onto a TS

> (which needs to be more secure) then the answer is to place the TS into its

> own OU and apply a policy to the OU. This will not apply to the user when he

> logs onto his PC locally. To prevernt the GPO applying to an Admin account

> then remove the apply group policy right.

>

> If I was you I would remove TS Access rights from the Administrator account

> for any public facing TS... instead create a seperate account for

> Administrator over RDP.

>

> Hope I have understood you. I was not sure if you meant a user logs onto the

> TS locally and also remotely requiring differnent policies ?

>

> BRGDS

>

> Johan

>

> "wideye" wrote:

> > On Sep 19, 8:31 am, "Floris van Haaster" <florisN...@Mdatasmit.nl>

> > wrote:

> > > You can create some OU's like:

>

> > > Sales

> > > Support

>

> > > etc... then add the users/computers to the ou's.

> > > And then create and attach GPO's to OU's.

>

> > > A handy thing to use then is the Group Policy Management Console:http://www.microsoft.com.nsatc.net/downloads/details.aspx?FamilyId=0A...

>

> > > Best regards

>

> > > Floris van Haaster

>

> > Let me step back and provide a bit more detailed information because I

> > don't think my question was clearly conveyed. In our organization all

> > users have one account. This one account authenticates local "in

> > office" logins as well as remote logins. However, the GP for remote

> > logins needs to be more restrictive then the GP for local logins. So

> > the question is how can I have one account and two different GP's

> > (i.e. one GP for remote logins and one GP for local logins)?

>

> > Thanks!

>

> > > "wideye" <dstu...@meterskid.com> wrote in message

>

> > >news:1190207712.804498.241480@k79g2000hse.googlegroups.com...

>

> > > > Hello,

> > > > I'm setting up a dedicated Terminal Server and I have a question

> > > > regarding local group policies in Windows Server 2003. Is there a way

> > > > to apply group policies to all user profiles aside from Administrator?

> > > > Obviously I want certain restrictions for user profiles that need not

> > > > apply to the administrative profile (Example: disabling access to the

> > > > control panel). Is there a way to specify which users GP's apply to?

>

> > > > Thanks,

 

 

 

 

Jordon,

Thanks for the prompt feedback! Our users sometimes work in the office

and sometimes work from home - I would like to have a GP for "in

office" access and a different GP for "remote" access. Currently, I

have OU's "siteA" and "siteB" and GP's for each OU. However, I don't

understand how I can have a TS OU and GP for users that already exist

in the "siteA" or "siteB" OU's.

 

Thanks again for the help.

 Share
Go to topic listing
×
×
  • Create New...