Setting Group Policy to apply only to the terminal server

[Guest Graffiti Knight]

We have a number of group policy restrictions for our terminal server,

however they all fall under User Configuration (folder redirection,

Control Panel access, and hiding drives in My Computer). To apply

these settings we have a OU for our employees' computers to use

loopback processing and an OU for the employees' user accounts.

 

The problem is that whenever a user logs onto a computer that is not

the terminal server (TS), if they aren't moved out of the OU then they

policy restrictions get applied to their profile and we have to wipe

it and start over. For computer rebuilds this becomes a hassle as we

have to remove them, create the profile on their new machine, and then

move them back. Is there a way to apply these User Configuration

settings only on the Terminal Server, and not have to do all of this

moving around?

 

Thanks for any suggestions.

[Guest moncho]

Re: Setting Group Policy to apply only to the terminal server

 

Graffiti Knight wrote:

> We have a number of group policy restrictions for our terminal server,

> however they all fall under User Configuration (folder redirection,

> Control Panel access, and hiding drives in My Computer). To apply

> these settings we have a OU for our employees' computers to use

> loopback processing and an OU for the employees' user accounts.

>

> The problem is that whenever a user logs onto a computer that is not

> the terminal server (TS), if they aren't moved out of the OU then they

> policy restrictions get applied to their profile and we have to wipe

> it and start over. For computer rebuilds this becomes a hassle as we

> have to remove them, create the profile on their new machine, and then

> move them back. Is there a way to apply these User Configuration

> settings only on the Terminal Server, and not have to do all of this

> moving around?

>

> Thanks for any suggestions.

 

What you want to do is put the TS servers in their own OU and use

loopback processing.

 

When you do this, any policies you create in the TS OU

will only affect the users desktop in TS and not their

individual desktop.

 

moncho

[Guest Graffiti Knight]

Re: Setting Group Policy to apply only to the terminal server

 

On Jan 29, 4:23 am, moncho <mon...@NOspmanywhere.com> wrote:

> Graffiti Knight wrote:

> > We have a number of group policy restrictions for our terminal server,

> > however they all fall under User Configuration (folder redirection,

> > Control Panel access, and hiding drives in My Computer). To apply

> > these settings we have a OU for our employees' computers to use

> > loopback processing and an OU for the employees' user accounts.

>

> > The problem is that whenever a user logs onto a computer that is not

> > the terminal server (TS), if they aren't moved out of the OU then they

> > policy restrictions get applied to their profile and we have to wipe

> > it and start over. For computer rebuilds this becomes a hassle as we

> > have to remove them, create the profile on their new machine, and then

> > move them back. Is there a way to apply these User Configuration

> > settings only on the Terminal Server, and not have to do all of this

> > moving around?

>

> > Thanks for any suggestions.

>

> What you want to do is put the TS servers in their own OU and use

> loopback processing.

>

> When you do this, any policies you create in the TS OU

> will only affect the users desktop in TS and not their

> individual desktop.

>

> moncho

 

The terminal servers are in their own OU. I have an OU for the

terminal servers, an OU for TS user's, and an OU for TS user's

computers. None are within each other; they are all under the Domain

OU.

[Guest Vera Noest [MVP]]

Re: Setting Group Policy to apply only to the terminal server

 

Graffiti Knight <jordanstacy@gmail.com> wrote on 30 jan 2008 in

microsoft.public.windows.terminal_services:

> On Jan 29, 4:23 am, moncho <mon...@NOspmanywhere.com> wrote:

>> Graffiti Knight wrote:

>> > We have a number of group policy restrictions for our

>> > terminal server, however they all fall under User

>> > Configuration (folder redirection, Control Panel access, and

>> > hiding drives in My Computer). To apply these settings we

>> > have a OU for our employees' computers to use loopback

>> > processing and an OU for the employees' user accounts.

>>

>> > The problem is that whenever a user logs onto a computer that

>> > is not the terminal server (TS), if they aren't moved out of

>> > the OU then they policy restrictions get applied to their

>> > profile and we have to wipe it and start over. For computer

>> > rebuilds this becomes a hassle as we have to remove them,

>> > create the profile on their new machine, and then move them

>> > back. Is there a way to apply these User Configuration

>> > settings only on the Terminal Server, and not have to do all

>> > of this moving around?

>>

>> > Thanks for any suggestions.

>>

>> What you want to do is put the TS servers in their own OU and

>> use loopback processing.

>>

>> When you do this, any policies you create in the TS OU

>> will only affect the users desktop in TS and not their

>> individual desktop.

>>

>> moncho

>

> The terminal servers are in their own OU. I have an OU for the

> terminal servers, an OU for TS user's, and an OU for TS user's

> computers. None are within each other; they are all under the

> Domain OU.

 

And have you linked the restrictive GPO to the OU which contains

the Terminal Servers?

If so, check if all GPOs are applied as you expect them to be by

running RSoP (Resultant Set of Policies).

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

[Guest Patrick Rouse]

Re: Setting Group Policy to apply only to the terminal server

 

Step by step directions on how to configure this are are here:

 

Best Practice for applying Settings to Users only when they log on to

Terminal Servers would be to:

 

Create an OU to contain a set of Terminal Servers

 

Block Policy Inheritance on the OU (Properties -> Group Policy). This

prevents settings from higher-up in AD from affecting your Terminal Servers.

 

Move the Terminal Server Computer Objects into the OU. Do NOT place User

Accounts in this OU.

 

Create an Active Directory Security Group called “Terminal Servers” (or

something similar that you’ll recognize) and add the Terminal Servers from

this OU to this group.

 

Create a GPO called “TS Machine Policy” linked to the OU

 

Check “Disable User Configuration settings” on the GPO

 

Enable Loopback Policy Processing in the GPO

 

Edit the Security of the Policy so Apply Policy is set for “Authenticated

Users” and the Security Group containing the Terminal Servers

 

Create additional GPOs linked to this OU for each user population, i.e. “TS

Users”, “TS Administrators”.

 

Check “Disable Computer Configuration settings” on these GPO

 

Edit the Security on these User Configuration GPOs so Apply Policy is

enabled for the target user population, and Deny Apply Policy is enabled for

user to which the policy should not apply.

 

With GPOs configured this way the Machine Policy applies to everyone that

logs on to the Terminal Server (only the Computer Configuration Settings of

the Machine Policy are processed) in addition to the appropriate User

Configuration GPO (only the User Configuration portion of the GPO is

processed) for the target user population.

 

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

SE, Western USA & Canada

Quest Software, Provision Networks Division

http://www.provisionnetworks.com

 

 

 

"Vera Noest [MVP]" wrote:

> Graffiti Knight <jordanstacy@gmail.com> wrote on 30 jan 2008 in

> microsoft.public.windows.terminal_services:

>

> > On Jan 29, 4:23 am, moncho <mon...@NOspmanywhere.com> wrote:

> >> Graffiti Knight wrote:

> >> > We have a number of group policy restrictions for our

> >> > terminal server, however they all fall under User

> >> > Configuration (folder redirection, Control Panel access, and

> >> > hiding drives in My Computer). To apply these settings we

> >> > have a OU for our employees' computers to use loopback

> >> > processing and an OU for the employees' user accounts.

> >>

> >> > The problem is that whenever a user logs onto a computer that

> >> > is not the terminal server (TS), if they aren't moved out of

> >> > the OU then they policy restrictions get applied to their

> >> > profile and we have to wipe it and start over. For computer

> >> > rebuilds this becomes a hassle as we have to remove them,

> >> > create the profile on their new machine, and then move them

> >> > back. Is there a way to apply these User Configuration

> >> > settings only on the Terminal Server, and not have to do all

> >> > of this moving around?

> >>

> >> > Thanks for any suggestions.

> >>

> >> What you want to do is put the TS servers in their own OU and

> >> use loopback processing.

> >>

> >> When you do this, any policies you create in the TS OU

> >> will only affect the users desktop in TS and not their

> >> individual desktop.

> >>

> >> moncho

> >

> > The terminal servers are in their own OU. I have an OU for the

> > terminal servers, an OU for TS user's, and an OU for TS user's

> > computers. None are within each other; they are all under the

> > Domain OU.

>

> And have you linked the restrictive GPO to the OU which contains

> the Terminal Servers?

> If so, check if all GPOs are applied as you expect them to be by

> running RSoP (Resultant Set of Policies).

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>