Jump to content

User Profiles

Guest Ferbalex

By Guest Ferbalex
in Windows NT Server

 Share

Recommended Posts

Guest Ferbalex

Guest Ferbalex

Posted
Posted

Currently running TS where all users load one application - our business

system.

I'm now trying to allocate individual desktops to certain users but, with a

Group Policy only suceeded in restricting normal users to no start button and

no icons!!

Im obviously missing the point - could someone please direct me to a simple

step by step starter??

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: User Profiles

 

when you say normal users do you mean their normal desktop? Read my

article on loopback processing and group policy and see if that helps.

As well if you could be more specific on what your trying to do and what

you've done that would help as well.

 

See this link and Understanding Group POlicy in a TS environment:

http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=download

 

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

 

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

 

Ferbalex wrote:

> Currently running TS where all users load one application - our business

> system.

> I'm now trying to allocate individual desktops to certain users but, with a

> Group Policy only suceeded in restricting normal users to no start button and

> no icons!!

> Im obviously missing the point - could someone please direct me to a simple

> step by step starter??

Guest Ferbalex

Guest Ferbalex

Posted
Posted

Re: User Profiles

 

Thanks Jeff and good article. Having got to the end of it, I now have the TS

server in its own OU, two policies, machine and users in the OU, user and

machine disabled where needed, and the loopback enabled. From here I would

like to have users log onto the server and receive various different secure

desktops. If I edit the user policy, I would think that effects all users

logging on. How would I differentiate between them for different desktops??

Many Thanks for your help -

much appreciated

 

"Jeff Pitsch" wrote:

> when you say normal users do you mean their normal desktop? Read my

> article on loopback processing and group policy and see if that helps.

> As well if you could be more specific on what your trying to do and what

> you've done that would help as well.

>

> See this link and Understanding Group POlicy in a TS environment:

> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=download

>

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> Ferbalex wrote:

> > Currently running TS where all users load one application - our business

> > system.

> > I'm now trying to allocate individual desktops to certain users but, with a

> > Group Policy only suceeded in restricting normal users to no start button and

> > no icons!!

> > Im obviously missing the point - could someone please direct me to a simple

> > step by step starter??

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: User Profiles

 

From

http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirection

 

Q: How can I configure different TS desktops, based on user group

membership?

 

A: There are a number of 3rd party add-ons which can do this for

you, but it is also possible with native Windows techniques, using

Group Policies.

 

Let's assume you have 3 different user groups, which need different

desktop icons.

 

1. Create 3 security groups in your AD and populate them with the

user accounts

2. Create 3 different shared folders on a file server and populate

the folders with the desktop icons (shortcuts) which you want the

user groups to see

3. Create 3 different GPOs, linked to the OU which contains your

Terminal Server computer account (but not the user accounts!)

4. In each of the GPOs, configure redirection of the desktop to one

of the custom desktop folders which you created in step 2. This is

done in User Configuration - Windows Settings - Folder Redirection

5. Configure each of the GPOs with loopback processing of the GPO,

with the "Replace" option. This is done in Computer Configuration -

Administrative Templates - System - Group Policy - "User Group

Policy loopback processing mode"

6. Configure the security settings on each of the GPOs so that only

the appropriate user group and the TS machine account is allowed to

read and apply the GPO

 

Further reading:

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

 

Another way to do this is by using Access Based Enumeration, which

is a free add-on to Windows Server 2003.

For a detailed example of using ABE, see:

 

Build a start menu with ABE

http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

abe.html

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

wrote on 26 sep 2007 in

microsoft.public.windows.terminal_services:

> Thanks Jeff and good article. Having got to the end of it, I

> now have the TS server in its own OU, two policies, machine and

> users in the OU, user and machine disabled where needed, and the

> loopback enabled. From here I would like to have users log onto

> the server and receive various different secure desktops. If I

> edit the user policy, I would think that effects all users

> logging on. How would I differentiate between them for

> different desktops??

> Many Thanks for your help -

> much appreciated

>

> "Jeff Pitsch" wrote:

>

>> when you say normal users do you mean their normal desktop?

>> Read my article on loopback processing and group policy and see

>> if that helps. As well if you could be more specific on what

>> your trying to do and what you've done that would help as well.

>>

>> See this link and Understanding Group POlicy in a TS

>> environment:

>> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=dow

>> nload

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Server

>> Citrix Technology Professional

>> Provision Networks VIP

>>

>> Forums not enough?

>> Get support from the experts at your business

>> http://jeffpitschconsulting.com

>>

>> Ferbalex wrote:

>> > Currently running TS where all users load one application -

>> > our business system.

>> > I'm now trying to allocate individual desktops to certain

>> > users but, with a Group Policy only suceeded in restricting

>> > normal users to no start button and no icons!!

>> > Im obviously missing the point - could someone please direct

>> > me to a simple step by step starter??

Guest Ferbalex

Guest Ferbalex

Posted
Posted

Re: User Profiles

 

Hi, this is different from the first suggestion but looked shorter so gave it

a try.

 

Created 1 security group in AD the TS Group- put one user1 in it - created 1

shared folder on the TS server and put shortcut icons in it, gave TSGroup

access to it - created 1 GPO linked to OU that has TS Svr in it, no users -

in GPO redircted desktop to the shared folder - enabled various other

settings - enabled GPO loopback/replace - allowed the TS Svr and the TS group

in the security filtering.

 

Logged into the TS Svr via TS client, as user1, 'my documents' redirected to

Home folder (not specified in the TS settings) but no other changes take

place, same as logging into the server directly. Deleted everything and

tried it all again - same result.

 

Thanks for your help - any ideas would be appreciated

 

 

"Vera Noest [MVP]" wrote:

> From

> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirection

>

> Q: How can I configure different TS desktops, based on user group

> membership?

>

> A: There are a number of 3rd party add-ons which can do this for

> you, but it is also possible with native Windows techniques, using

> Group Policies.

>

> Let's assume you have 3 different user groups, which need different

> desktop icons.

>

> 1. Create 3 security groups in your AD and populate them with the

> user accounts

> 2. Create 3 different shared folders on a file server and populate

> the folders with the desktop icons (shortcuts) which you want the

> user groups to see

> 3. Create 3 different GPOs, linked to the OU which contains your

> Terminal Server computer account (but not the user accounts!)

> 4. In each of the GPOs, configure redirection of the desktop to one

> of the custom desktop folders which you created in step 2. This is

> done in User Configuration - Windows Settings - Folder Redirection

> 5. Configure each of the GPOs with loopback processing of the GPO,

> with the "Replace" option. This is done in Computer Configuration -

> Administrative Templates - System - Group Policy - "User Group

> Policy loopback processing mode"

> 6. Configure the security settings on each of the GPOs so that only

> the appropriate user group and the TS machine account is allowed to

> read and apply the GPO

>

> Further reading:

>

> 231287 - Loopback Processing of Group Policy

> http://support.microsoft.com/?kbid=231287

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

>

> Another way to do this is by using Access Based Enumeration, which

> is a free add-on to Windows Server 2003.

> For a detailed example of using ABE, see:

>

> Build a start menu with ABE

> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

> abe.html

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

> wrote on 26 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Thanks Jeff and good article. Having got to the end of it, I

> > now have the TS server in its own OU, two policies, machine and

> > users in the OU, user and machine disabled where needed, and the

> > loopback enabled. From here I would like to have users log onto

> > the server and receive various different secure desktops. If I

> > edit the user policy, I would think that effects all users

> > logging on. How would I differentiate between them for

> > different desktops??

> > Many Thanks for your help -

> > much appreciated

> >

> > "Jeff Pitsch" wrote:

> >

> >> when you say normal users do you mean their normal desktop?

> >> Read my article on loopback processing and group policy and see

> >> if that helps. As well if you could be more specific on what

> >> your trying to do and what you've done that would help as well.

> >>

> >> See this link and Understanding Group POlicy in a TS

> >> environment:

> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=dow

> >> nload

> >>

> >> Jeff Pitsch

> >> Microsoft MVP - Terminal Server

> >> Citrix Technology Professional

> >> Provision Networks VIP

> >>

> >> Forums not enough?

> >> Get support from the experts at your business

> >> http://jeffpitschconsulting.com

> >>

> >> Ferbalex wrote:

> >> > Currently running TS where all users load one application -

> >> > our business system.

> >> > I'm now trying to allocate individual desktops to certain

> >> > users but, with a Group Policy only suceeded in restricting

> >> > normal users to no start button and no icons!!

> >> > Im obviously missing the point - could someone please direct

> >> > me to a simple step by step starter??

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: User Profiles

 

Since your new GPO settings don't work, and you still see the

effects of another GPO (redirection of My Documents), maybe all you

have to do is to run "gpupdate" on the Terminal Server, in a

command window.

If that doesn't help, use Resultant Set of Policies (RSoP) to see

which GPOs affect user1 on the TS.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

wrote on 26 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi, this is different from the first suggestion but looked

> shorter so gave it a try.

>

> Created 1 security group in AD the TS Group- put one user1 in it

> - created 1 shared folder on the TS server and put shortcut

> icons in it, gave TSGroup access to it - created 1 GPO linked to

> OU that has TS Svr in it, no users - in GPO redircted desktop to

> the shared folder - enabled various other settings - enabled GPO

> loopback/replace - allowed the TS Svr and the TS group in the

> security filtering.

>

> Logged into the TS Svr via TS client, as user1, 'my documents'

> redirected to Home folder (not specified in the TS settings) but

> no other changes take place, same as logging into the server

> directly. Deleted everything and tried it all again - same

> result.

>

> Thanks for your help - any ideas would be appreciated

>

>

> "Vera Noest [MVP]" wrote:

>

>> From

>> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirect

>> ion

>>

>> Q: How can I configure different TS desktops, based on user

>> group membership?

>>

>> A: There are a number of 3rd party add-ons which can do this

>> for you, but it is also possible with native Windows

>> techniques, using Group Policies.

>>

>> Let's assume you have 3 different user groups, which need

>> different desktop icons.

>>

>> 1. Create 3 security groups in your AD and populate them with

>> the user accounts

>> 2. Create 3 different shared folders on a file server and

>> populate the folders with the desktop icons (shortcuts) which

>> you want the user groups to see

>> 3. Create 3 different GPOs, linked to the OU which contains

>> your Terminal Server computer account (but not the user

>> accounts!) 4. In each of the GPOs, configure redirection of the

>> desktop to one of the custom desktop folders which you created

>> in step 2. This is done in User Configuration - Windows

>> Settings - Folder Redirection 5. Configure each of the GPOs

>> with loopback processing of the GPO, with the "Replace" option.

>> This is done in Computer Configuration - Administrative

>> Templates - System - Group Policy - "User Group Policy loopback

>> processing mode" 6. Configure the security settings on each of

>> the GPOs so that only the appropriate user group and the TS

>> machine account is allowed to read and apply the GPO

>>

>> Further reading:

>>

>> 231287 - Loopback Processing of Group Policy

>> http://support.microsoft.com/?kbid=231287

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>>

>> Another way to do this is by using Access Based Enumeration,

>> which is a free add-on to Windows Server 2003.

>> For a detailed example of using ABE, see:

>>

>> Build a start menu with ABE

>> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

>> abe.html

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

>> wrote on 26 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Thanks Jeff and good article. Having got to the end of it, I

>> > now have the TS server in its own OU, two policies, machine

>> > and users in the OU, user and machine disabled where needed,

>> > and the loopback enabled. From here I would like to have

>> > users log onto the server and receive various different

>> > secure desktops. If I edit the user policy, I would think

>> > that effects all users logging on. How would I differentiate

>> > between them for different desktops??

>> > Many Thanks for your help -

>> > much appreciated

>> >

>> > "Jeff Pitsch" wrote:

>> >

>> >> when you say normal users do you mean their normal desktop?

>> >> Read my article on loopback processing and group policy and

>> >> see if that helps. As well if you could be more specific on

>> >> what your trying to do and what you've done that would help

>> >> as well.

>> >>

>> >> See this link and Understanding Group POlicy in a TS

>> >> environment:

>> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=

>> >> dow nload

>> >>

>> >> Jeff Pitsch

>> >> Microsoft MVP - Terminal Server

>> >> Citrix Technology Professional

>> >> Provision Networks VIP

>> >>

>> >> Forums not enough?

>> >> Get support from the experts at your business

>> >> http://jeffpitschconsulting.com

>> >>

>> >> Ferbalex wrote:

>> >> > Currently running TS where all users load one application

>> >> > - our business system.

>> >> > I'm now trying to allocate individual desktops to certain

>> >> > users but, with a Group Policy only suceeded in

>> >> > restricting normal users to no start button and no icons!!

>> >> > Im obviously missing the point - could someone please

>> >> > direct me to a simple step by step starter??

Guest Ferbalex

Guest Ferbalex

Posted
Posted

Re: User Profiles

 

Thank you very much, it worked great. Just one thing, I have disabled

evrything I can find in the GPOE but cant restrict the start button, My

Computer in the start menu, or Printers and Faxes in the start menu. Is it

not possible to restrict these? In My Computer users still have access to

System Task and Other Places? I also have two icons appearing from the

Default Domain Policy. Is it possible to restrict this without editing the

domain policy? Windows Server 2003. Thanks again for your great advice.

 

 

 

"Vera Noest [MVP]" wrote:

> Since your new GPO settings don't work, and you still see the

> effects of another GPO (redirection of My Documents), maybe all you

> have to do is to run "gpupdate" on the Terminal Server, in a

> command window.

> If that doesn't help, use Resultant Set of Policies (RSoP) to see

> which GPOs affect user1 on the TS.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

> wrote on 26 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hi, this is different from the first suggestion but looked

> > shorter so gave it a try.

> >

> > Created 1 security group in AD the TS Group- put one user1 in it

> > - created 1 shared folder on the TS server and put shortcut

> > icons in it, gave TSGroup access to it - created 1 GPO linked to

> > OU that has TS Svr in it, no users - in GPO redircted desktop to

> > the shared folder - enabled various other settings - enabled GPO

> > loopback/replace - allowed the TS Svr and the TS group in the

> > security filtering.

> >

> > Logged into the TS Svr via TS client, as user1, 'my documents'

> > redirected to Home folder (not specified in the TS settings) but

> > no other changes take place, same as logging into the server

> > directly. Deleted everything and tried it all again - same

> > result.

> >

> > Thanks for your help - any ideas would be appreciated

> >

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> From

> >> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirect

> >> ion

> >>

> >> Q: How can I configure different TS desktops, based on user

> >> group membership?

> >>

> >> A: There are a number of 3rd party add-ons which can do this

> >> for you, but it is also possible with native Windows

> >> techniques, using Group Policies.

> >>

> >> Let's assume you have 3 different user groups, which need

> >> different desktop icons.

> >>

> >> 1. Create 3 security groups in your AD and populate them with

> >> the user accounts

> >> 2. Create 3 different shared folders on a file server and

> >> populate the folders with the desktop icons (shortcuts) which

> >> you want the user groups to see

> >> 3. Create 3 different GPOs, linked to the OU which contains

> >> your Terminal Server computer account (but not the user

> >> accounts!) 4. In each of the GPOs, configure redirection of the

> >> desktop to one of the custom desktop folders which you created

> >> in step 2. This is done in User Configuration - Windows

> >> Settings - Folder Redirection 5. Configure each of the GPOs

> >> with loopback processing of the GPO, with the "Replace" option.

> >> This is done in Computer Configuration - Administrative

> >> Templates - System - Group Policy - "User Group Policy loopback

> >> processing mode" 6. Configure the security settings on each of

> >> the GPOs so that only the appropriate user group and the TS

> >> machine account is allowed to read and apply the GPO

> >>

> >> Further reading:

> >>

> >> 231287 - Loopback Processing of Group Policy

> >> http://support.microsoft.com/?kbid=231287

> >>

> >> 816100 - How To Prevent Domain Group Policies from Applying to

> >> Administrator Accounts and Selected Users in Windows Server

> >> 2003 http://support.microsoft.com/?kbid=816100

> >>

> >> Another way to do this is by using Access Based Enumeration,

> >> which is a free add-on to Windows Server 2003.

> >> For a detailed example of using ABE, see:

> >>

> >> Build a start menu with ABE

> >> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

> >> abe.html

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

> >> wrote on 26 sep 2007 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > Thanks Jeff and good article. Having got to the end of it, I

> >> > now have the TS server in its own OU, two policies, machine

> >> > and users in the OU, user and machine disabled where needed,

> >> > and the loopback enabled. From here I would like to have

> >> > users log onto the server and receive various different

> >> > secure desktops. If I edit the user policy, I would think

> >> > that effects all users logging on. How would I differentiate

> >> > between them for different desktops??

> >> > Many Thanks for your help -

> >> > much appreciated

> >> >

> >> > "Jeff Pitsch" wrote:

> >> >

> >> >> when you say normal users do you mean their normal desktop?

> >> >> Read my article on loopback processing and group policy and

> >> >> see if that helps. As well if you could be more specific on

> >> >> what your trying to do and what you've done that would help

> >> >> as well.

> >> >>

> >> >> See this link and Understanding Group POlicy in a TS

> >> >> environment:

> >> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&type=

> >> >> dow nload

> >> >>

> >> >> Jeff Pitsch

> >> >> Microsoft MVP - Terminal Server

> >> >> Citrix Technology Professional

> >> >> Provision Networks VIP

> >> >>

> >> >> Forums not enough?

> >> >> Get support from the experts at your business

> >> >> http://jeffpitschconsulting.com

> >> >>

> >> >> Ferbalex wrote:

> >> >> > Currently running TS where all users load one application

> >> >> > - our business system.

> >> >> > I'm now trying to allocate individual desktops to certain

> >> >> > users but, with a Group Policy only suceeded in

> >> >> > restricting normal users to no start button and no icons!!

> >> >> > Im obviously missing the point - could someone please

> >> >> > direct me to a simple step by step starter??

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: User Profiles

 

You can use Folder redirection for the Start Menu, exactly in the

same way as you used Folder redirection for the Desktop.

Also make sure that you delete unwanted shortcuts from the C:

\Documents and Settings\All Users\Start Menu on the Terminal

Server.

 

Exactly what icons are you getting from the Default Domain Policy,

and in which GPO setting are they defined?

Have you tried "undoing" them by configuring the same setting in

your GPO with a value of "Disabled"?

You could block policy inheritance, but that's normally not a good

idea. A Default Domain Policy should only contain settings which

*must* be configured for the whole domain. If that's not true, the

setting is configured at the wrong level.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

wrote on 27 sep 2007 in

microsoft.public.windows.terminal_services:

> Thank you very much, it worked great. Just one thing, I have

> disabled evrything I can find in the GPOE but cant restrict the

> start button, My Computer in the start menu, or Printers and

> Faxes in the start menu. Is it not possible to restrict these?

> In My Computer users still have access to System Task and Other

> Places? I also have two icons appearing from the Default Domain

> Policy. Is it possible to restrict this without editing the

> domain policy? Windows Server 2003. Thanks again for your great

> advice.

>

>

>

> "Vera Noest [MVP]" wrote:

>

>> Since your new GPO settings don't work, and you still see the

>> effects of another GPO (redirection of My Documents), maybe all

>> you have to do is to run "gpupdate" on the Terminal Server, in

>> a command window.

>> If that doesn't help, use Resultant Set of Policies (RSoP) to

>> see which GPOs affect user1 on the TS.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@discussions.microsoft.com>

>> wrote on 26 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Hi, this is different from the first suggestion but looked

>> > shorter so gave it a try.

>> >

>> > Created 1 security group in AD the TS Group- put one user1 in

>> > it - created 1 shared folder on the TS server and put

>> > shortcut icons in it, gave TSGroup access to it - created 1

>> > GPO linked to OU that has TS Svr in it, no users - in GPO

>> > redircted desktop to the shared folder - enabled various

>> > other settings - enabled GPO loopback/replace - allowed the

>> > TS Svr and the TS group in the security filtering.

>> >

>> > Logged into the TS Svr via TS client, as user1, 'my

>> > documents' redirected to Home folder (not specified in the TS

>> > settings) but no other changes take place, same as logging

>> > into the server directly. Deleted everything and tried it

>> > all again - same result.

>> >

>> > Thanks for your help - any ideas would be appreciated

>> >

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> From

>> >> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredir

>> >> ect ion

>> >>

>> >> Q: How can I configure different TS desktops, based on user

>> >> group membership?

>> >>

>> >> A: There are a number of 3rd party add-ons which can do this

>> >> for you, but it is also possible with native Windows

>> >> techniques, using Group Policies.

>> >>

>> >> Let's assume you have 3 different user groups, which need

>> >> different desktop icons.

>> >>

>> >> 1. Create 3 security groups in your AD and populate them

>> >> with the user accounts

>> >> 2. Create 3 different shared folders on a file server and

>> >> populate the folders with the desktop icons (shortcuts)

>> >> which you want the user groups to see

>> >> 3. Create 3 different GPOs, linked to the OU which contains

>> >> your Terminal Server computer account (but not the user

>> >> accounts!) 4. In each of the GPOs, configure redirection of

>> >> the desktop to one of the custom desktop folders which you

>> >> created in step 2. This is done in User Configuration -

>> >> Windows Settings - Folder Redirection 5. Configure each of

>> >> the GPOs with loopback processing of the GPO, with the

>> >> "Replace" option. This is done in Computer Configuration -

>> >> Administrative Templates - System - Group Policy - "User

>> >> Group Policy loopback processing mode" 6. Configure the

>> >> security settings on each of the GPOs so that only the

>> >> appropriate user group and the TS machine account is allowed

>> >> to read and apply the GPO

>> >>

>> >> Further reading:

>> >>

>> >> 231287 - Loopback Processing of Group Policy

>> >> http://support.microsoft.com/?kbid=231287

>> >>

>> >> 816100 - How To Prevent Domain Group Policies from Applying

>> >> to Administrator Accounts and Selected Users in Windows

>> >> Server 2003 http://support.microsoft.com/?kbid=816100

>> >>

>> >> Another way to do this is by using Access Based Enumeration,

>> >> which is a free add-on to Windows Server 2003.

>> >> For a detailed example of using ABE, see:

>> >>

>> >> Build a start menu with ABE

>> >> http://www.datacrash.net/howtos/howto/build-a-start-menu-with

>> >> - abe.html

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?RmVyYmFsZXg=?=

>> >> <Ferbalex@discussions.microsoft.com> wrote on 26 sep 2007 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > Thanks Jeff and good article. Having got to the end of

>> >> > it, I now have the TS server in its own OU, two policies,

>> >> > machine and users in the OU, user and machine disabled

>> >> > where needed, and the loopback enabled. From here I would

>> >> > like to have users log onto the server and receive various

>> >> > different secure desktops. If I edit the user policy, I

>> >> > would think that effects all users logging on. How would

>> >> > I differentiate between them for different desktops??

>> >> > Many Thanks for your help -

>> >> > much appreciated

>> >> >

>> >> > "Jeff Pitsch" wrote:

>> >> >

>> >> >> when you say normal users do you mean their normal

>> >> >> desktop? Read my article on loopback processing and group

>> >> >> policy and see if that helps. As well if you could be

>> >> >> more specific on what your trying to do and what you've

>> >> >> done that would help as well.

>> >> >>

>> >> >> See this link and Understanding Group POlicy in a TS

>> >> >> environment:

>> >> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13&ty

>> >> >> pe= dow nload

>> >> >>

>> >> >> Jeff Pitsch

>> >> >> Microsoft MVP - Terminal Server

>> >> >> Citrix Technology Professional

>> >> >> Provision Networks VIP

>> >> >>

>> >> >> Forums not enough?

>> >> >> Get support from the experts at your business

>> >> >> http://jeffpitschconsulting.com

>> >> >>

>> >> >> Ferbalex wrote:

>> >> >> > Currently running TS where all users load one

>> >> >> > application - our business system.

>> >> >> > I'm now trying to allocate individual desktops to

>> >> >> > certain users but, with a Group Policy only suceeded in

>> >> >> > restricting normal users to no start button and no

>> >> >> > icons!! Im obviously missing the point - could someone

>> >> >> > please direct me to a simple step by step starter??

 Share
Go to topic listing
×
×
  • Create New...