GP/OU Question

[Guest porbarfarms@gmail.com]

We have a Windows 2003 DC that is also running TS -we know, not

recommended. We know that when you have TS as member server, you setup

a new OU and move the TS into it. Then create/link a GP to it...

 

This is probably a stupid question, but we are needing reassurance in

our particular setup that this step of creating a new OU and linking a

GP to it is not necessary since we would be moving the DC out of its

OU and into another -does not sound like a good idea or necessary in

our case?

 

Hence, it looks like we will just be modifying the Default GP for the

Remote users connecting to the DC/TS?

 

Thanks in advance!

[Guest Vera Noest [MVP]]

Re: GP/OU Question

 

I would certainly *not* move the DC to another OU, that could break

other things in the domain.

 

I would *not* modify the Default Domain or Default Domain

Controller GPO either. Rather, create a new GPO and link it to the

Domain Controller OU, and put it above the existing GPOs linked to

that OU, thereby overriding the other GPOs.

That way, you will have an easy way to undo your changes in case

anything goes completely wrong, by simply removing the GPO link.

 

Be sure to test every setting thoroughly, because this is one of

the reasons that it is not recommended running TS on a DC.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

porbarfarms@gmail.com wrote on 18 jan 2008 in

microsoft.public.windows.terminal_services:

> We have a Windows 2003 DC that is also running TS -we know, not

> recommended. We know that when you have TS as member server, you

> setup a new OU and move the TS into it. Then create/link a GP to

> it...

>

> This is probably a stupid question, but we are needing

> reassurance in our particular setup that this step of creating a

> new OU and linking a GP to it is not necessary since we would be

> moving the DC out of its OU and into another -does not sound

> like a good idea or necessary in our case?

>

> Hence, it looks like we will just be modifying the Default GP

> for the Remote users connecting to the DC/TS?

>

> Thanks in advance!

[Guest porbarfarms@gmail.com]

Re: GP/OU Question

 

On Jan 18, 3:21 pm, "Vera Noest [MVP]" <vera.no...@remove-

this.hem.utfors.se> wrote:

> I would certainly *not* move the DC to another OU, that could break

> other things in the domain.

>

> I would *not* modify the Default Domain or Default Domain

> Controller GPO either. Rather, create a new GPO and link it to the

> Domain Controller OU, and put it above the existing GPOs linked to

> that OU, thereby overriding the other GPOs.

> That way, you will have an easy way to undo your changes in case

> anything goes completely wrong, by simply removing the GPO link.

>

> Be sure to test every setting thoroughly, because this is one of

> the reasons that it is not recommended running TS on a DC.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting:  http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> porbarfa...@gmail.com wrote on 18 jan 2008 in

> microsoft.public.windows.terminal_services:

>

>

>

> > We have a Windows 2003 DC that is also running TS -we know, not

> > recommended. We know that when you have TS as member server, you

> > setup a new OU and move the TS into it. Then create/link a GP to

> > it...

>

> > This is probably a stupid question, but we are needing

> > reassurance in our particular setup that this step of creating a

> > new OU and linking a GP to it is not necessary since we would be

> > moving the DC out of its OU and into another -does not sound

> > like a good idea or necessary in our case?

>

> > Hence, it looks like we will just be modifying the Default GP

> > for the Remote users connecting to the DC/TS?

>

> > Thanks in advance!- Hide quoted text -

>

> - Show quoted text -

 

Thank you for replying. We are working with a customer that already

has TS installed on their DC and we are trying to help them with their

remote setup. They already have separate OUs created for User

departments, such as Finance, Sales, etc and have GPOs linked to these

OUs where they control local resources, Internet use, etc for these

users.

 

They will have some local users at the main office connecting to the

TS, with or without using thin-clients, and these users are members of

their respective OUs and Remote USes group. We are in the test lab

now, trying to mimic this setup, and now incorporate the remote users

(who will be using thin-clients). So, in the test lab, we have added

another OU -called remUsers- and created a new GP -called remGPO- and

plan to edit the User Configuration settings to control, for instance,

what icons the remote users see on the TS desktop, and to make

available to them a folder that we have already created on a certain

shared partition on the TS.

 

This plan seems different than what you advised, however we realize

you did not have this much info in making your response. We will:

 

1. Add the remote user (working in satellite office on a thin-client)

to AD and make member of RDesktop users.

2. Create an OU called remUsers. Create GP and link to OU.

3. Move necessary users into the OU.

4. Edit the GP created in Step 2 for controlling users' environment.

 

Will our method work and/or do you see any flaws?

[Guest Vera Noest [MVP]]

Re: GP/OU Question

 

porbarfarms@gmail.com wrote on 21 jan 2008 in

microsoft.public.windows.terminal_services:

> On Jan 18, 3:21 pm, "Vera Noest [MVP]" <vera.no...@remove-

> this.hem.utfors.se> wrote:

>> I would certainly *not* move the DC to another OU, that could

>> break other things in the domain.

>>

>> I would *not* modify the Default Domain or Default Domain

>> Controller GPO either. Rather, create a new GPO and link it to

>> the Domain Controller OU, and put it above the existing GPOs

>> linked to that OU, thereby overriding the other GPOs.

>> That way, you will have an easy way to undo your changes in

>> case anything goes completely wrong, by simply removing the GPO

>> link.

>>

>> Be sure to test every setting thoroughly, because this is one

>> of the reasons that it is not recommended running TS on a DC.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting:  http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> porbarfa...@gmail.com wrote on 18 jan 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>

>>

>> > We have a Windows 2003 DC that is also running TS -we know,

>> > not recommended. We know that when you have TS as member

>> > server, you setup a new OU and move the TS into it. Then

>> > create/link a GP to it...

>>

>> > This is probably a stupid question, but we are needing

>> > reassurance in our particular setup that this step of

>> > creating a new OU and linking a GP to it is not necessary

>> > since we would be moving the DC out of its OU and into

>> > another -does not sound like a good idea or necessary in our

>> > case?

>>

>> > Hence, it looks like we will just be modifying the Default GP

>> > for the Remote users connecting to the DC/TS?

>>

>> > Thanks in advance!- Hide quoted text -

>>

>> - Show quoted text -

>

> Thank you for replying. We are working with a customer that

> already has TS installed on their DC and we are trying to help

> them with their remote setup. They already have separate OUs

> created for User departments, such as Finance, Sales, etc and

> have GPOs linked to these OUs where they control local

> resources, Internet use, etc for these users.

>

> They will have some local users at the main office connecting to

> the TS, with or without using thin-clients, and these users are

> members of their respective OUs and Remote USes group. We are in

> the test lab now, trying to mimic this setup, and now

> incorporate the remote users (who will be using thin-clients).

> So, in the test lab, we have added another OU -called remUsers-

> and created a new GP -called remGPO- and plan to edit the User

> Configuration settings to control, for instance, what icons the

> remote users see on the TS desktop, and to make available to

> them a folder that we have already created on a certain shared

> partition on the TS.

>

> This plan seems different than what you advised, however we

> realize you did not have this much info in making your response.

> We will:

>

> 1. Add the remote user (working in satellite office on a

> thin-client) to AD and make member of RDesktop users.

> 2. Create an OU called remUsers. Create GP and link to OU.

> 3. Move necessary users into the OU.

> 4. Edit the GP created in Step 2 for controlling users'

> environment.

>

> Will our method work and/or do you see any flaws?

 

Linking the GPO to the OU which contains the user accounts (in

stead of the standard method of linking it to the OU which contains

the TS machine account and using loopback processing) will work for

users who *only* log on through a thin client.

But as soon as a user account is also used to logon to a normal

"fat" client, the GPO will be applied to the user as well and most

likely cause error messages and unwanted effects.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___