Creating a GPO for TS lockdown

[Guest Noncentz303]

I created a test OU and added a GPO to lockdown TS. I added each TS to the OU

and also a test user was added to the group. But when I go to test my TS to

see if the changes I made are working it seems as though my GPO never worked

at all.

 

Does anyone have a link to a tuturial that can accurately help me create a

GPO for my TS so that all users sessions are the same

 

I was using:

 

http://technet2.microsoft.com/windowsserver/en/library/7b33dcd6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true

 

Thanks Much

Antony

[Guest leakim]

Re: Creating a GPO for TS lockdown

 

Hello Antony,

 

GPMC is a good tool from ms to help creating an resolve gpo issues :

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887

 

 

"Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in message

news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...

>I created a test OU and added a GPO to lockdown TS. I added each TS to the

>OU

> and also a test user was added to the group. But when I go to test my TS

> to

> see if the changes I made are working it seems as though my GPO never

> worked

> at all.

>

> Does anyone have a link to a tuturial that can accurately help me create a

> GPO for my TS so that all users sessions are the same

>

> I was using:

>

> http://technet2.microsoft.com/windowsserver/en/library/7b33dcd6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true

>

> Thanks Much

> Antony

[Guest Noncentz303]

Re: Creating a GPO for TS lockdown

 

Currently I am using GPMC to do my GPO, I like how it lays everything out for

you. Man that last post was insane sorry bout that.

 

I guess what im looking for is to see if my gpo is actually affecting the

server. Under my new GPO I added the Terminal Server and the user group I set

up. Then I added a user to that group to use as a test subject. but when I

log onto the server I do not see any changes as well as foler redirection.

 

I set up mandatory profiles for our users when logging on because im trying

to get it so that users cannot make changes to the TS but all be in the same

enviorment?

 

Noncentz

 

"leakim" wrote:

> Hello Antony,

>

> GPMC is a good tool from ms to help creating an resolve gpo issues :

> http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887

>

>

> "Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in message

> news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...

> >I created a test OU and added a GPO to lockdown TS. I added each TS to the

> >OU

> > and also a test user was added to the group. But when I go to test my TS

> > to

> > see if the changes I made are working it seems as though my GPO never

> > worked

> > at all.

> >

> > Does anyone have a link to a tuturial that can accurately help me create a

> > GPO for my TS so that all users sessions are the same

> >

> > I was using:

> >

> > http://technet2.microsoft.com/windowsserver/en/library/7b33dcd6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true

> >

> > Thanks Much

> > Antony

>

>

>

[Guest Vera Noest [MVP]]

Re: Creating a GPO for TS lockdown

 

You should *not* add any user accounts to the OU. You need to use

loopback processing of the GPO instead.

 

You can use the Resultant Set of Policies (RSoP) feature to check

which GPOs apply to a certain user when logging into your TS.

 

260370 - How to Apply Group Policy Objects to Terminal Services

Servers

http://support.microsoft.com/?kbid=260370

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Tm9uY2VudHozMDM=?=

<Noncentz303@discussions.microsoft.com> wrote on 25 okt 2007 in

microsoft.public.windows.terminal_services:

> Currently I am using GPMC to do my GPO, I like how it lays

> everything out for you. Man that last post was insane sorry bout

> that.

>

> I guess what im looking for is to see if my gpo is actually

> affecting the server. Under my new GPO I added the Terminal

> Server and the user group I set up. Then I added a user to that

> group to use as a test subject. but when I log onto the server I

> do not see any changes as well as foler redirection.

>

> I set up mandatory profiles for our users when logging on

> because im trying to get it so that users cannot make changes to

> the TS but all be in the same enviorment?

>

> Noncentz

>

> "leakim" wrote:

>

>> Hello Antony,

>>

>> GPMC is a good tool from ms to help creating an resolve gpo

>> issues :

>> http://www.microsoft.com/downloads/details.aspx?displaylang=en&F

>> amilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887

>>

>>

>> "Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in

>> message

>> news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...

>> >I created a test OU and added a GPO to lockdown TS. I added

>> >each TS to the OU

>> > and also a test user was added to the group. But when I go to

>> > test my TS to

>> > see if the changes I made are working it seems as though my

>> > GPO never worked

>> > at all.

>> >

>> > Does anyone have a link to a tuturial that can accurately

>> > help me create a GPO for my TS so that all users sessions are

>> > the same

>> >

>> > I was using:

>> >

>> > http://technet2.microsoft.com/windowsserver/en/library/7b33dcd

>> > 6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true

>> >

>> > Thanks Much

>> > Antony

[Guest Noncentz303]

Re: Creating a GPO for TS lockdown

 

Vera,

 

Ok so I ran RSOP on my TS and I see the GPO I created and the TS is in the

right OU. But from the looks I have not applied it to the server correctly.

Cendrars has enlightened me to DACK config and applying the group policy so I

will read up on that.

 

I have removed the individual test user and added him to the group I setup.

Here are my RSOP results

 

Created On 10/25/2007 at 3:03:32 PM

 

 

 

RSOP data for MCCOYSALES\anolan on MCSVR03 : Logging Mode

----------------------------------------------------------

 

OS Type: Microsoft® Windows® Server 2003, Enterprise

Edition

OS Configuration: Member Server

OS Version: 5.2.3790

Terminal Server Mode: Application Server

Site Name: Default-First-Site-Name

Roaming Profile: \\mcsvr03\AdminMandatory

Local Profile: C:\Documents and Settings\anolan

Connected over a slow link?: No

 

 

COMPUTER SETTINGS

------------------

CN=MCSVR03,OU=Terminal Servers,DC=mccoysales,DC=local

Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM

Group Policy was applied from: mcsvr01.mccoysales.local

Group Policy slow link threshold: 500 kbps

Domain Name: mccoysales

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

Small Business Server Domain Password Policy

Small Business Server Client Computer

Small Business Server Remote Assistance Policy

Small Business Server Lockout Policy

Default Domain Policy

Local Group Policy

 

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Small Business Server Internet Connection Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PreSP2

 

Small Business Server - Windows Vista policy

Filtering: Denied (WMI Filter)

WMI Filter: Vista

 

EnlightenUsers

Filtering: Not Applied (Empty)

 

Small Business Server Windows Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PostSP2

 

The computer is a part of the following security groups

-------------------------------------------------------

BUILTIN\Administrators

Everyone

NT AUTHORITY\Authenticated Users

 

 

USER SETTINGS

--------------

CN=Antony Nolan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local

Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM

Group Policy was applied from: mcsvr01.mccoysales.local

Group Policy slow link threshold: 500 kbps

Domain Name: MCCOYSALES

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy

 

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Small Business Server Internet Connection Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PreSP2

 

Small Business Server Lockout Policy

Filtering: Disabled (GPO)

 

Small Business Server Remote Assistance Policy

Filtering: Disabled (GPO)

 

Small Business Server Client Computer

Filtering: Not Applied (Empty)

 

Small Business Server - Windows Vista policy

Filtering: Denied (WMI Filter)

WMI Filter: Vista

 

Small Business Server Domain Password Policy

Filtering: Not Applied (Empty)

 

EnlightenUsers

Filtering: Not Applied (Empty)

 

Small Business Server Windows Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PostSP2

 

The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

Offer Remote Assistance Helpers

Remote Desktop Users

BUILTIN\Users

BUILTIN\Administrators

REMOTE INTERACTIVE LOGON

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Domain Admins

SBS Mobile Users

Web Workplace Users

SBS Report Users

Prophet21_Users

Offer Remote Assistance Helpers

[Guest Vera Noest [MVP]]

Re: Creating a GPO for TS lockdown

 

So what's the GPO you are trying to apply?

Assuming that it is the Small Business Server Lockout Policy, then

the computer settings are applied, but not the users settings, it

seems that they are disabled.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Tm9uY2VudHozMDM=?=

<Noncentz303@discussions.microsoft.com> wrote on 25 okt 2007 in

microsoft.public.windows.terminal_services:

> Vera,

>

> Ok so I ran RSOP on my TS and I see the GPO I created and the TS

> is in the right OU. But from the looks I have not applied it to

> the server correctly. Cendrars has enlightened me to DACK config

> and applying the group policy so I will read up on that.

>

> I have removed the individual test user and added him to the

> group I setup. Here are my RSOP results

>

> Created On 10/25/2007 at 3:03:32 PM

>

>

>

> RSOP data for MCCOYSALES\anolan on MCSVR03 : Logging Mode

> ----------------------------------------------------------

>

> OS Type: Microsoft® Windows® Server

> 2003, Enterprise Edition

> OS Configuration: Member Server

> OS Version: 5.2.3790

> Terminal Server Mode: Application Server

> Site Name: Default-First-Site-Name

> Roaming Profile: \\mcsvr03\AdminMandatory

> Local Profile: C:\Documents and Settings\anolan

> Connected over a slow link?: No

>

>

> COMPUTER SETTINGS

> ------------------

> CN=MCSVR03,OU=Terminal Servers,DC=mccoysales,DC=local

> Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM

> Group Policy was applied from: mcsvr01.mccoysales.local

> Group Policy slow link threshold: 500 kbps

> Domain Name: mccoysales

> Domain Type: Windows 2000

>

> Applied Group Policy Objects

> -----------------------------

> Small Business Server Domain Password Policy

> Small Business Server Client Computer

> Small Business Server Remote Assistance Policy

> Small Business Server Lockout Policy

> Default Domain Policy

> Local Group Policy

>

> The following GPOs were not applied because they were

> filtered out

> -------------------------------------------------------------

> ------

> Small Business Server Internet Connection Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PreSP2

>

> Small Business Server - Windows Vista policy

> Filtering: Denied (WMI Filter)

> WMI Filter: Vista

>

> EnlightenUsers

> Filtering: Not Applied (Empty)

>

> Small Business Server Windows Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PostSP2

>

> The computer is a part of the following security groups

> -------------------------------------------------------

> BUILTIN\Administrators

> Everyone

> NT AUTHORITY\Authenticated Users

>

>

> USER SETTINGS

> --------------

> CN=Antony

> Nolan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=loc

> al Last time Group Policy was applied: 10/25/2007 at 2:28:35

> PM Group Policy was applied from:

> mcsvr01.mccoysales.local Group Policy slow link threshold:

> 500 kbps Domain Name: MCCOYSALES

> Domain Type: Windows 2000

>

> Applied Group Policy Objects

> -----------------------------

> Default Domain Policy

> Local Group Policy

>

> The following GPOs were not applied because they were

> filtered out

> -------------------------------------------------------------

> ------

> Small Business Server Internet Connection Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PreSP2

>

> Small Business Server Lockout Policy

> Filtering: Disabled (GPO)

>

> Small Business Server Remote Assistance Policy

> Filtering: Disabled (GPO)

>

> Small Business Server Client Computer

> Filtering: Not Applied (Empty)

>

> Small Business Server - Windows Vista policy

> Filtering: Denied (WMI Filter)

> WMI Filter: Vista

>

> Small Business Server Domain Password Policy

> Filtering: Not Applied (Empty)

>

> EnlightenUsers

> Filtering: Not Applied (Empty)

>

> Small Business Server Windows Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PostSP2

>

> The user is a part of the following security groups

> ---------------------------------------------------

> Domain Users

> Everyone

> Offer Remote Assistance Helpers

> Remote Desktop Users

> BUILTIN\Users

> BUILTIN\Administrators

> REMOTE INTERACTIVE LOGON

> NT AUTHORITY\INTERACTIVE

> NT AUTHORITY\Authenticated Users

> This Organization

> LOCAL

> Domain Admins

> SBS Mobile Users

> Web Workplace Users

> SBS Report Users

> Prophet21_Users

> Offer Remote Assistance Helpers

>