How to prevent computer settings from applying to Administrators when using loopback policy?

[Guest J. Jensen]

How to prevent computer settings from applying to Administrators when using loopback policy?

 

Hi

 

I'm having some trouble with the admin account on Windows 2003 TS.

I don't want it to use an TS roaming profile, but don't know how to avoid

it, as it is set in Computer settings and therefore affecting all users.

Any ideas what to do?

 

 

Scenario:

 

2 terminal servers (none of them are DC's).

They are in their own OU "Terminal servers", and there are no other objects

in here.

 

There's ~10 GPO's linked to the "Terminal Servers" OU.

Two of them are affecting Computer Settings, and the rest are User settings.

 

Computer policy #1: Name = Loopback policy:

Only setting changed here is Loopback enabled, replace mode.

Scope -> Security Filtering: Only the two TS computer objects + the security

group containing the TS users added here.

Administrators are not member of this security group.

 

Computer policy #2: Name = TS users profile path <- THIS IS THE ONE CAUSING

THE PROBLEMS

Computer settings:

I have changed TS users profile path at

Local Computer Policy/Computer Configuration/Administrative

Templates/Windows Components/Terminal Services

Scope -> Security Filtering: Only the two TS computer objects + the security

group containing the TS users added here.

Administrators are not member of this security group.

 

User settings, policy #3 -> #10:

These are working perfectly.

I have put deny on all Domain Admins "apply group policy", so the Admins

aren't affected by these.

Scope -> Security Filtering: Only the two TS computer objects + the security

group containing the TS users added here.

Administrators are not member of this security group.

 

Regards

 

J. Jensen

[Guest Jeff Pitsch]

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

 

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

 

Computer policies apply to computers not users. Filtering based on

users is pointless since it applies to computers.

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

J. Jensen wrote:

> Hi

>

> I'm having some trouble with the admin account on Windows 2003 TS.

> I don't want it to use an TS roaming profile, but don't know how to avoid

> it, as it is set in Computer settings and therefore affecting all users.

> Any ideas what to do?

>

>

> Scenario:

>

> 2 terminal servers (none of them are DC's).

> They are in their own OU "Terminal servers", and there are no other objects

> in here.

>

> There's ~10 GPO's linked to the "Terminal Servers" OU.

> Two of them are affecting Computer Settings, and the rest are User settings.

>

> Computer policy #1: Name = Loopback policy:

> Only setting changed here is Loopback enabled, replace mode.

> Scope -> Security Filtering: Only the two TS computer objects + the security

> group containing the TS users added here.

> Administrators are not member of this security group.

>

> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE CAUSING

> THE PROBLEMS

> Computer settings:

> I have changed TS users profile path at

> Local Computer Policy/Computer Configuration/Administrative

> Templates/Windows Components/Terminal Services

> Scope -> Security Filtering: Only the two TS computer objects + the security

> group containing the TS users added here.

> Administrators are not member of this security group.

>

> User settings, policy #3 -> #10:

> These are working perfectly.

> I have put deny on all Domain Admins "apply group policy", so the Admins

> aren't affected by these.

> Scope -> Security Filtering: Only the two TS computer objects + the security

> group containing the TS users added here.

> Administrators are not member of this security group.

>

> Regards

>

> J. Jensen

>

>

[Guest J. Jensen]

Re: How to prevent computer settings from applying to Administrators when using loopback policy?

 

Re: How to prevent computer settings from applying to Administrators when using loopback policy?

 

Hi

 

 

"Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> skrev i en meddelelse

news:u%23NfxT4$HHA.4476@TK2MSFTNGP06.phx.gbl...

> Computer policies apply to computers not users. Filtering based on users

> is pointless since it applies to computers.

>

Yes I'm aware of this.

What do other admins do?

This must be a common issue when defining "TS users profile path " through

GPO.

I could of course set this individually on all users in AD but I would

prefer not to...

 

 

 

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> J. Jensen wrote:

>> Hi

>>

>> I'm having some trouble with the admin account on Windows 2003 TS.

>> I don't want it to use an TS roaming profile, but don't know how to avoid

>> it, as it is set in Computer settings and therefore affecting all users.

>> Any ideas what to do?

>>

>>

>> Scenario:

>>

>> 2 terminal servers (none of them are DC's).

>> They are in their own OU "Terminal servers", and there are no other

>> objects in here.

>>

>> There's ~10 GPO's linked to the "Terminal Servers" OU.

>> Two of them are affecting Computer Settings, and the rest are User

>> settings.

>>

>> Computer policy #1: Name = Loopback policy:

>> Only setting changed here is Loopback enabled, replace mode.

>> Scope -> Security Filtering: Only the two TS computer objects + the

>> security group containing the TS users added here.

>> Administrators are not member of this security group.

>>

>> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE

>> CAUSING THE PROBLEMS

>> Computer settings:

>> I have changed TS users profile path at

>> Local Computer Policy/Computer Configuration/Administrative

>> Templates/Windows Components/Terminal Services

>> Scope -> Security Filtering: Only the two TS computer objects + the

>> security group containing the TS users added here.

>> Administrators are not member of this security group.

>>

>> User settings, policy #3 -> #10:

>> These are working perfectly.

>> I have put deny on all Domain Admins "apply group policy", so the Admins

>> aren't affected by these.

>> Scope -> Security Filtering: Only the two TS computer objects + the

>> security group containing the TS users added here.

>> Administrators are not member of this security group.

>>

>> Regards

>>

>> J. Jensen

[Guest Jeff Pitsch]

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

 

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

 

It's a trade-off of convenience. I guess I don't really see a problem

though since administrators would want their settings following them too.

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

J. Jensen wrote:

> Hi

>

>

> "Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> skrev i en meddelelse

> news:u%23NfxT4$HHA.4476@TK2MSFTNGP06.phx.gbl...

>> Computer policies apply to computers not users. Filtering based on users

>> is pointless since it applies to computers.

>>

> Yes I'm aware of this.

> What do other admins do?

> This must be a common issue when defining "TS users profile path " through

> GPO.

> I could of course set this individually on all users in AD but I would

> prefer not to...

>

>

>

>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Server

>> Citrix Technology Professional

>> Provision Networks VIP

>>

>> Forums not enough?

>> Get support from the experts at your business

>> http://jeffpitschconsulting.com

>>

>> J. Jensen wrote:

>>> Hi

>>>

>>> I'm having some trouble with the admin account on Windows 2003 TS.

>>> I don't want it to use an TS roaming profile, but don't know how to avoid

>>> it, as it is set in Computer settings and therefore affecting all users.

>>> Any ideas what to do?

>>>

>>>

>>> Scenario:

>>>

>>> 2 terminal servers (none of them are DC's).

>>> They are in their own OU "Terminal servers", and there are no other

>>> objects in here.

>>>

>>> There's ~10 GPO's linked to the "Terminal Servers" OU.

>>> Two of them are affecting Computer Settings, and the rest are User

>>> settings.

>>>

>>> Computer policy #1: Name = Loopback policy:

>>> Only setting changed here is Loopback enabled, replace mode.

>>> Scope -> Security Filtering: Only the two TS computer objects + the

>>> security group containing the TS users added here.

>>> Administrators are not member of this security group.

>>>

>>> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE

>>> CAUSING THE PROBLEMS

>>> Computer settings:

>>> I have changed TS users profile path at

>>> Local Computer Policy/Computer Configuration/Administrative

>>> Templates/Windows Components/Terminal Services

>>> Scope -> Security Filtering: Only the two TS computer objects + the

>>> security group containing the TS users added here.

>>> Administrators are not member of this security group.

>>>

>>> User settings, policy #3 -> #10:

>>> These are working perfectly.

>>> I have put deny on all Domain Admins "apply group policy", so the Admins

>>> aren't affected by these.

>>> Scope -> Security Filtering: Only the two TS computer objects + the

>>> security group containing the TS users added here.

>>> Administrators are not member of this security group.

>>>

>>> Regards

>>>

>>> J. Jensen

>

>