Jump to content

GP/OU Problem/Question

Guest compsosinc@gmail.com

By Guest compsosinc@gmail.com
in Windows NT Server

 Share

Recommended Posts

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

In a VirtualPC setup (test lab), I am using Windows 2003 Server as a

DC and a separate Windows 2003 member server as the TS. I am having a

problem getting any Group Policy changes to take effect for an XP Pro

client that logs into the TS --using what I thought was the proper

method of setting this up. Here are my notes on what I have done so

far:

 

1. Create OU & GPO for the TS:

a. In AD of DC, create an OU called: 'Terminal Servers'

b. Move TS machine into this OU.

c. Right click 'Terminal Servers' OU, and go to properties. Click on

GP tab

d. Click 'New' and name GP (ex, TS Users GP)

 

2. Create TestUser(s) in AD:

 

a. Create username/password (ex., TestUser1)

b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop

Users

- If creating a separate Security Group for 'TS Users', do not make

user member of RDU. Make the Security group (Step 3) member of RDU.

 

3. Create Security Group for TS Users & TS desktop

 

a. Create a new Security group called 'TS Users' in AD.

b. Ensure the 'TS Users' group is a member of RDU group.

c. Populate the 'TS Users' group with the user account(s) --her, the

Testuser1 account

d. Test login to the TS with a user account = ok

 

4. Edit GPO & Setup Edit for test:

 

a. In the User Configuration of the GPO, enabled "Remove My COmputer'

icon from Start menu

b. Enabled loopback processing

c. On the Security Tab of the GP, added the TS Machine and the 'TS

Users' Security group with Read & Apply settings

b. Gpupdate/force on DC

 

 

Problem:

 

The edit to the GP does not work...the 'My Computer icon remian when I

login into the TS from the XPP client. I had begun with Folder

redirection and it wasn't working so I tried something simpler..

 

Resolution?

 

Based on what I read in a NG posting, I moved my 'Testuser1' user

account into the OU with the TS machine and the GP works!

Everything (most anyway) I researched prior to this setup indicated to

not put the user accounts into the new OU. If I move the Security

Group I created into the OU (of which TestUser1 is a member of) the GP

does not work...

 

What is the correct way to apply a GP to a group of Users, such as the

group 'TS Users'?

PS I also read article "Understanding Group Policy in a TS

Environment" in which two GPO are linked to thenew OU -one for the

machine & one for the user configuration. Is this a better method?

 

Confused!

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: GP/OU Problem/Question

 

Mm, this should work, and you should not need to put the user

account in the TerminalServers OU.

Run gpupdate /force on the TS (although I don't think it will help,

it should have been updated by now). But when you make a change to

the GPO, you have to run gpupdate on the TS, not on the DC.

 

To troubleshoot, run Resultant Set of Policies with the testuser

account and the TS, to check which policies are applied, and in

which order.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

compsosinc@gmail.com wrote on 15 feb 2008:

> In a VirtualPC setup (test lab), I am using Windows 2003 Server

> as a DC and a separate Windows 2003 member server as the TS. I

> am having a problem getting any Group Policy changes to take

> effect for an XP Pro client that logs into the TS --using what I

> thought was the proper method of setting this up. Here are my

> notes on what I have done so far:

>

> 1. Create OU & GPO for the TS:

> a. In AD of DC, create an OU called: 'Terminal Servers'

> b. Move TS machine into this OU.

> c. Right click 'Terminal Servers' OU, and go to properties.

> Click on GP tab

> d. Click 'New' and name GP (ex, TS Users GP)

>

> 2. Create TestUser(s) in AD:

>

> a. Create username/password (ex., TestUser1)

> b. Ensure that TestUser1 is a member of Domain Users &

> Remote Desktop Users

> - If creating a separate Security Group for 'TS Users', do not

> make user member of RDU. Make the Security group (Step 3) member

> of RDU.

>

> 3. Create Security Group for TS Users & TS desktop

>

> a. Create a new Security group called 'TS Users' in AD.

> b. Ensure the 'TS Users' group is a member of RDU group.

> c. Populate the 'TS Users' group with the user account(s)

> --her, the Testuser1 account

> d. Test login to the TS with a user account = ok

>

> 4. Edit GPO & Setup Edit for test:

>

> a. In the User Configuration of the GPO, enabled "Remove My

> COmputer' icon from Start menu

> b. Enabled loopback processing

> c. On the Security Tab of the GP, added the TS Machine and the

> 'TS Users' Security group with Read & Apply settings

> b. Gpupdate/force on DC

>

>

> Problem:

>

> The edit to the GP does not work...the 'My Computer icon remian

> when I login into the TS from the XPP client. I had begun with

> Folder redirection and it wasn't working so I tried something

> simpler..

>

> Resolution?

>

> Based on what I read in a NG posting, I moved my 'Testuser1'

> user account into the OU with the TS machine and the GP works!

> Everything (most anyway) I researched prior to this setup

> indicated to not put the user accounts into the new OU. If I

> move the Security Group I created into the OU (of which

> TestUser1 is a member of) the GP does not work...

>

> What is the correct way to apply a GP to a group of Users, such

> as the group 'TS Users'?

> PS I also read article "Understanding Group Policy in a TS

> Environment" in which two GPO are linked to thenew OU -one for

> the machine & one for the user configuration. Is this a better

> method?

>

> Confused!

Guest moncho

Guest moncho

Posted
Posted

Re: GP/OU Problem/Question

 

compsosinc@gmail.com wrote:

> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a

> DC and a separate Windows 2003 member server as the TS. I am having a

> problem getting any Group Policy changes to take effect for an XP Pro

> client that logs into the TS --using what I thought was the proper

> method of setting this up. Here are my notes on what I have done so

> far:

>

> 1. Create OU & GPO for the TS:

> a. In AD of DC, create an OU called: 'Terminal Servers'

> b. Move TS machine into this OU.

> c. Right click 'Terminal Servers' OU, and go to properties. Click on

> GP tab

> d. Click 'New' and name GP (ex, TS Users GP)

>

> 2. Create TestUser(s) in AD:

>

> a. Create username/password (ex., TestUser1)

> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop

> Users

> - If creating a separate Security Group for 'TS Users', do not make

> user member of RDU. Make the Security group (Step 3) member of RDU.

>

> 3. Create Security Group for TS Users & TS desktop

>

> a. Create a new Security group called 'TS Users' in AD.

> b. Ensure the 'TS Users' group is a member of RDU group.

 

Make sure you add 'TS Users' group to the local 2003 TS server

RDU group.

> c. Populate the 'TS Users' group with the user account(s) --her, the

> Testuser1 account

> d. Test login to the TS with a user account = ok

>

> 4. Edit GPO & Setup Edit for test:

>

> a. In the User Configuration of the GPO, enabled "Remove My COmputer'

> icon from Start menu

> b. Enabled loopback processing

I have found it easier and more reliable to put the loopback processing

in the Computer Configuration section of its own GPO in the

Terminal Servers OU. Also, you may want to set it to "replace"

mode.

 

Create a UserConfig GPO in the Terminal Server OU and with only your

security group.

> c. On the Security Tab of the GP, added the TS Machine and the 'TS

> Users' Security group with Read & Apply settings

You will want to remove the Authenticated Users group also.

> b. Gpupdate/force on DC

>

>

> Problem:

>

> The edit to the GP does not work...the 'My Computer icon remian when I

> login into the TS from the XPP client. I had begun with Folder

> redirection and it wasn't working so I tried something simpler..

>

> Resolution?

>

> Based on what I read in a NG posting, I moved my 'Testuser1' user

> account into the OU with the TS machine and the GP works!

> Everything (most anyway) I researched prior to this setup indicated to

> not put the user accounts into the new OU. If I move the Security

> Group I created into the OU (of which TestUser1 is a member of) the GP

> does not work...

 

You do not want to put users in the Terminal Servers OU. This OU

should be for TS servers only, not users.

>

> What is the correct way to apply a GP to a group of Users, such as the

> group 'TS Users'?

> PS I also read article "Understanding Group Policy in a TS

> Environment" in which two GPO are linked to thenew OU -one for the

> machine & one for the user configuration. Is this a better method?

 

I like to do it this way myself. It helps to keep things simplified.

At least for me.

 

Basic setup will be:

 

OU for TS servers

ComputerConfig GPO for TS Servers with Loopback processing set to

replace mode in the Computer Section of the GPO.

UserConfig GPO - remove Authenticated Users, add TS Users group.

- Set all the settings you like in the User section of the GPO

- Start small and add more later.

Add TS Users group to local TS server RDU group.

You should be good to go.

 

You may want to check http://www.sessioncomputing.com/how-to.htm

also. Loads of info here.

 

moncho

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: GP/OU Problem/Question

 

On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

> compsos...@gmail.com wrote:

> > In a VirtualPC setup (test lab), I am using Windows 2003 Server as a

> > DC and a separate Windows 2003 member server as the TS. I am having a

> > problem getting any Group Policy changes to take effect for an XP Pro

> > client that logs into the TS --using what I thought was the proper

> > method of setting this up. Here are my notes on what I have done so

> > far:

>

> > 1. Create OU & GPO for the TS:

> > a. In AD of DC, create an OU called: 'Terminal Servers'

> > b. Move TS machine into this OU.

> > c. Right click 'Terminal Servers' OU, and go to properties. Click on

> > GP tab

> > d. Click 'New' and name GP (ex, TS Users GP)

>

> > 2. Create TestUser(s) in AD:

>

> > a. Create username/password (ex., TestUser1)

> > b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop

> > Users

> > -   If creating a separate Security Group for 'TS Users', do not make

> > user member of RDU. Make the Security group (Step 3) member of RDU.

>

> > 3. Create Security Group for TS Users & TS desktop

>

> > a. Create a new Security group called 'TS Users' in AD.

> > b. Ensure the 'TS Users' group is a member of RDU group.

>

> Make sure you add 'TS Users' group to the local 2003 TS server

> RDU group.

>

> > c. Populate the 'TS Users' group with the user account(s) --her, the

> > Testuser1 account

> > d. Test login to the TS with a user account = ok

>

> > 4. Edit GPO & Setup Edit for test:

>

> > a.  In the User Configuration of the GPO, enabled "Remove My COmputer'

> > icon from Start menu

> > b.  Enabled loopback processing

>

> I have found it easier and more reliable to put the loopback processing

> in the Computer Configuration section of its own GPO in the

> Terminal Servers OU.  Also, you may want to set it to "replace"

> mode.

>

> Create a UserConfig GPO in the Terminal Server OU and with only your

> security group.

>

> > c.  On the Security Tab of the GP, added the TS Machine and the 'TS

> > Users' Security group with Read & Apply settings

>

> You will want to remove the Authenticated Users group also.

>

>

>

>

>

> > b.  Gpupdate/force on DC

>

> > Problem:

>

> > The edit to the GP does not work...the 'My Computer icon remian when I

> > login into the TS from the XPP client. I had begun with Folder

> > redirection and it wasn't working so I tried something simpler..

>

> > Resolution?

>

> > Based on what I read in a NG posting, I moved my 'Testuser1' user

> > account into the OU with the TS machine and the GP works!

> > Everything (most anyway) I researched prior to this setup indicated to

> > not put the user accounts into the new OU. If I move the Security

> > Group I created into the OU (of which TestUser1 is a member of) the GP

> > does not work...

>

> You do not want to put users in the Terminal Servers OU.  This OU

> should be for TS servers only, not users.

>

>

>

> > What is the correct way to apply a GP to a group of Users, such as the

> > group 'TS Users'?

> > PS I also read article "Understanding Group Policy in a TS

> > Environment" in which  two GPO are linked to thenew OU -one for the

> > machine & one for the user configuration. Is this a better method?

>

> I like to do it this way myself.  It helps to keep things simplified.

> At least for me.

>

> Basic setup will be:

>

> OU for TS servers

> ComputerConfig GPO for TS Servers with Loopback processing set to

> replace mode in the Computer Section of the GPO.

> UserConfig GPO - remove Authenticated Users, add TS Users group.

>   - Set all the settings you like in the User section of the GPO

>   - Start small and add more later.

> Add TS Users group to local TS server RDU group.

> You should be good to go.

>

> You may want to checkhttp://www.sessioncomputing.com/how-to.htm

> also.  Loads of info here.

>

> moncho- Hide quoted text -

>

> - Show quoted text -- Hide quoted text -

>

> - Show quoted text -

 

Thank you both very much for replying. I have the GP working and here

are the things I did to make it work. I just do not know what fixed it

(made more than one thing or all did):

 

1. On the GP of the TS OU, I removed Authenticated users from the

Security tab (Filtering). I ensured that the TS machine and the 'TS

Users' group was listed and had Read/Apply rights.

2. On the GP, checked 'Block Policy Inheritence' -- I read this in

another article but do not see it mentioned often so had originally

not done this.

3. Made the 'TS Users' group a member of the Local Remote Desktop

Users on the TS.

4. Ran gpupdate/force on the TS, not the DC. Did not know this...and

not sure I understand why this is done on the TS when the DC has

Active Directory.

 

Question(s):

 

1. Vera, you mention running 'Resultant Set of Policies'. How is that

done specifically -either for a Security group or an individual User?

I should know how to do this for future troubleshooting...I have read

that you need the Resource Kit to do this?

 

2. With regards to setting up separate GPOs, one for the Computer

Configuration and one for the Users, what is considered best practice?

 

Thanks again...

Guest moncho

Guest moncho

Posted
Posted

Re: GP/OU Problem/Question

 

compsosinc@gmail.com wrote:

> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

>> compsos...@gmail.com wrote:

>>> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a

>>> DC and a separate Windows 2003 member server as the TS. I am having a

>>> problem getting any Group Policy changes to take effect for an XP Pro

>>> client that logs into the TS --using what I thought was the proper

>>> method of setting this up. Here are my notes on what I have done so

>>> far:

>>> 1. Create OU & GPO for the TS:

>>> a. In AD of DC, create an OU called: 'Terminal Servers'

>>> b. Move TS machine into this OU.

>>> c. Right click 'Terminal Servers' OU, and go to properties. Click on

>>> GP tab

>>> d. Click 'New' and name GP (ex, TS Users GP)

>>> 2. Create TestUser(s) in AD:

>>> a. Create username/password (ex., TestUser1)

>>> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop

>>> Users

>>> - If creating a separate Security Group for 'TS Users', do not make

>>> user member of RDU. Make the Security group (Step 3) member of RDU.

>>> 3. Create Security Group for TS Users & TS desktop

>>> a. Create a new Security group called 'TS Users' in AD.

>>> b. Ensure the 'TS Users' group is a member of RDU group.

>> Make sure you add 'TS Users' group to the local 2003 TS server

>> RDU group.

>>

>>> c. Populate the 'TS Users' group with the user account(s) --her, the

>>> Testuser1 account

>>> d. Test login to the TS with a user account = ok

>>> 4. Edit GPO & Setup Edit for test:

>>> a. In the User Configuration of the GPO, enabled "Remove My COmputer'

>>> icon from Start menu

>>> b. Enabled loopback processing

>> I have found it easier and more reliable to put the loopback processing

>> in the Computer Configuration section of its own GPO in the

>> Terminal Servers OU. Also, you may want to set it to "replace"

>> mode.

>>

>> Create a UserConfig GPO in the Terminal Server OU and with only your

>> security group.

>>

>>> c. On the Security Tab of the GP, added the TS Machine and the 'TS

>>> Users' Security group with Read & Apply settings

>> You will want to remove the Authenticated Users group also.

>>

>>

>>

>>

>>

>>> b. Gpupdate/force on DC

>>> Problem:

>>> The edit to the GP does not work...the 'My Computer icon remian when I

>>> login into the TS from the XPP client. I had begun with Folder

>>> redirection and it wasn't working so I tried something simpler..

>>> Resolution?

>>> Based on what I read in a NG posting, I moved my 'Testuser1' user

>>> account into the OU with the TS machine and the GP works!

>>> Everything (most anyway) I researched prior to this setup indicated to

>>> not put the user accounts into the new OU. If I move the Security

>>> Group I created into the OU (of which TestUser1 is a member of) the GP

>>> does not work...

>> You do not want to put users in the Terminal Servers OU. This OU

>> should be for TS servers only, not users.

>>

>>

>>

>>> What is the correct way to apply a GP to a group of Users, such as the

>>> group 'TS Users'?

>>> PS I also read article "Understanding Group Policy in a TS

>>> Environment" in which two GPO are linked to thenew OU -one for the

>>> machine & one for the user configuration. Is this a better method?

>> I like to do it this way myself. It helps to keep things simplified.

>> At least for me.

>>

>> Basic setup will be:

>>

>> OU for TS servers

>> ComputerConfig GPO for TS Servers with Loopback processing set to

>> replace mode in the Computer Section of the GPO.

>> UserConfig GPO - remove Authenticated Users, add TS Users group.

>> - Set all the settings you like in the User section of the GPO

>> - Start small and add more later.

>> Add TS Users group to local TS server RDU group.

>> You should be good to go.

>>

>> You may want to checkhttp://www.sessioncomputing.com/how-to.htm

>> also. Loads of info here.

>>

>> moncho- Hide quoted text -

>>

>> - Show quoted text -- Hide quoted text -

>>

>> - Show quoted text -

>

> Thank you both very much for replying. I have the GP working and here

> are the things I did to make it work. I just do not know what fixed it

> (made more than one thing or all did):

>

> 1. On the GP of the TS OU, I removed Authenticated users from the

> Security tab (Filtering). I ensured that the TS machine and the 'TS

> Users' group was listed and had Read/Apply rights.

This is to stop the GP from applying to a user in the Administrator

group. You do not want all the restrictions on the admin.

> 2. On the GP, checked 'Block Policy Inheritence' -- I read this in

> another article but do not see it mentioned often so had originally

> not done this.

> 3. Made the 'TS Users' group a member of the Local Remote Desktop

> Users on the TS.

> 4. Ran gpupdate/force on the TS, not the DC. Did not know this...and

> not sure I understand why this is done on the TS when the DC has

> Active Directory.

 

You run gpudate /force on the system that you want to update (i.e. TS

server or desktop). It "grabs" the new policy "from" A/D.

>

> Question(s):

>

> 1. Vera, you mention running 'Resultant Set of Policies'. How is that

> done specifically -either for a Security group or an individual User?

> I should know how to do this for future troubleshooting...I have read

> that you need the Resource Kit to do this?

 

You will do this on a machine or individual user. I can be done from

within the GPMC.

 

Right Click on Group Policy Results -> Group Policy Results Wizard.

 

If you have Windows Firewall enable on the machine you are

trying to get the results from, it may block the Wizard. I do not know

what ports to open for this to work correctly. Maybe Vera knows.

>

> 2. With regards to setting up separate GPOs, one for the Computer

> Configuration and one for the Users, what is considered best practice?

 

Like I mentioned earlier, I think creating two OU's is better. By

keeping the Computer Config GPO with loopback processing separate, it is

easier on other admins (IMHO). I believe this should be a best

practice if it is not already. To me, loopback processing is

a "big time" change and should be in its own GPO. Especially for

troubleshooting purposes.

 

moncho

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: GP/OU Problem/Question

 

On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:

> compsos...@gmail.com wrote:

> > On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

> >> compsos...@gmail.com wrote:

> >>> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a

> >>> DC and a separate Windows 2003 member server as the TS. I am having a

> >>> problem getting any Group Policy changes to take effect for an XP Pro

> >>> client that logs into the TS --using what I thought was the proper

> >>> method of setting this up. Here are my notes on what I have done so

> >>> far:

> >>> 1. Create OU & GPO for the TS:

> >>> a. In AD of DC, create an OU called: 'Terminal Servers'

> >>> b. Move TS machine into this OU.

> >>> c. Right click 'Terminal Servers' OU, and go to properties. Click on

> >>> GP tab

> >>> d. Click 'New' and name GP (ex, TS Users GP)

> >>> 2. Create TestUser(s) in AD:

> >>> a. Create username/password (ex., TestUser1)

> >>> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop

> >>> Users

> >>> -   If creating a separate Security Group for 'TS Users', do not make

> >>> user member of RDU. Make the Security group (Step 3) member of RDU.

> >>> 3. Create Security Group for TS Users & TS desktop

> >>> a. Create a new Security group called 'TS Users' in AD.

> >>> b. Ensure the 'TS Users' group is a member of RDU group.

> >> Make sure you add 'TS Users' group to the local 2003 TS server

> >> RDU group.

>

> >>> c. Populate the 'TS Users' group with the user account(s) --her, the

> >>> Testuser1 account

> >>> d. Test login to the TS with a user account = ok

> >>> 4. Edit GPO & Setup Edit for test:

> >>> a.  In the User Configuration of the GPO, enabled "Remove My COmputer'

> >>> icon from Start menu

> >>> b.  Enabled loopback processing

> >> I have found it easier and more reliable to put the loopback processing

> >> in the Computer Configuration section of its own GPO in the

> >> Terminal Servers OU.  Also, you may want to set it to "replace"

> >> mode.

>

> >> Create a UserConfig GPO in the Terminal Server OU and with only your

> >> security group.

>

> >>> c.  On the Security Tab of the GP, added the TS Machine and the 'TS

> >>> Users' Security group with Read & Apply settings

> >> You will want to remove the Authenticated Users group also.

>

> >>> b.  Gpupdate/force on DC

> >>> Problem:

> >>> The edit to the GP does not work...the 'My Computer icon remian when I

> >>> login into the TS from the XPP client. I had begun with Folder

> >>> redirection and it wasn't working so I tried something simpler..

> >>> Resolution?

> >>> Based on what I read in a NG posting, I moved my 'Testuser1' user

> >>> account into the OU with the TS machine and the GP works!

> >>> Everything (most anyway) I researched prior to this setup indicated to

> >>> not put the user accounts into the new OU. If I move the Security

> >>> Group I created into the OU (of which TestUser1 is a member of) the GP

> >>> does not work...

> >> You do not want to put users in the Terminal Servers OU.  This OU

> >> should be for TS servers only, not users.

>

> >>> What is the correct way to apply a GP to a group of Users, such as the

> >>> group 'TS Users'?

> >>> PS I also read article "Understanding Group Policy in a TS

> >>> Environment" in which  two GPO are linked to thenew OU -one for the

> >>> machine & one for the user configuration. Is this a better method?

> >> I like to do it this way myself.  It helps to keep things simplified.

> >> At least for me.

>

> >> Basic setup will be:

>

> >> OU for TS servers

> >> ComputerConfig GPO for TS Servers with Loopback processing set to

> >> replace mode in the Computer Section of the GPO.

> >> UserConfig GPO - remove Authenticated Users, add TS Users group.

> >>   - Set all the settings you like in the User section of the GPO

> >>   - Start small and add more later.

> >> Add TS Users group to local TS server RDU group.

> >> You should be good to go.

>

> >> You may want to checkhttp://www.sessioncomputing.com/how-to.htm

> >> also.  Loads of info here.

>

> >> moncho- Hide quoted text -

>

> >> - Show quoted text -- Hide quoted text -

>

> >> - Show quoted text -

>

> > Thank you both very much for replying. I have the GP working and here

> > are the things I did to make it work. I just do not know what fixed it

> > (made more than one thing or all did):

>

> > 1. On the GP of the TS OU, I removed Authenticated users from the

> > Security tab (Filtering). I ensured that the TS machine and the 'TS

> > Users' group was listed and had Read/Apply rights.

>

> This is to stop the GP from applying to a user in the Administrator

> group.  You do not want all the restrictions on the admin.

>

> > 2. On the GP, checked 'Block Policy Inheritence' -- I read this in

> > another article but do not see it mentioned often so had originally

> > not done this.

> > 3. Made the 'TS Users' group a member of the Local Remote Desktop

> > Users on the TS.

> > 4. Ran gpupdate/force on the TS, not the DC.  Did not know this...and

> > not sure I understand why this is done on the TS when the DC has

> > Active Directory.

>

> You run gpudate /force on the system that you want to update (i.e. TS

> server or desktop).  It "grabs" the new policy "from" A/D.

>

>

>

> > Question(s):

>

> > 1. Vera, you mention running 'Resultant Set of Policies'. How is that

> > done specifically -either for a Security group or an individual User?

> > I should know how to do this for future troubleshooting...I have read

> > that you need the Resource Kit to do this?

>

> You will do this on a machine or individual user.  I can be done from

> within the GPMC.

>

> Right Click on Group Policy Results -> Group Policy Results Wizard.

>

> If you have Windows Firewall enable on the machine you are

> trying to get the results from, it may block the Wizard.  I do not know

> what ports to open for this to work correctly.  Maybe Vera knows.

>

>

>

> > 2. With regards to setting up separate GPOs, one for the Computer

> > Configuration and one for the Users, what is considered best practice?

>

> Like I mentioned earlier, I think creating two OU's is better.  By

> keeping the Computer Config GPO with loopback processing separate, it is

> easier on other admins (IMHO).  I believe this should be a best

> practice if it is not already.  To me, loopback processing is

> a "big time" change and should be in its own GPO.  Especially for

> troubleshooting purposes.

>

> moncho- Hide quoted text -

>

> - Show quoted text -

 

Thanks again. You have both been very helpful!

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: GP/OU Problem/Question

 

compsosinc@gmail.com wrote on 15 feb 2008 in

microsoft.public.windows.terminal_services:

> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:

>> compsos...@gmail.com wrote:

>> > On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

>> >> compsos...@gmail.com wrote:

>> >>> In a VirtualPC setup (test lab), I am using Windows 2003

>> >>> Server as a DC and a separate Windows 2003 member server as

>> >>> the TS. I am having a problem getting any Group Policy

>> >>> changes to take effect for an XP Pro client that logs into

>> >>> the TS --using what I thought was the proper method of

>> >>> setting this up. Here are my notes on what I have done so

>> >>> far:

>> >>> 1. Create OU & GPO for the TS:

>> >>> a. In AD of DC, create an OU called: 'Terminal Servers'

>> >>> b. Move TS machine into this OU.

>> >>> c. Right click 'Terminal Servers' OU, and go to properties.

>> >>> Click on GP tab

>> >>> d. Click 'New' and name GP (ex, TS Users GP)

>> >>> 2. Create TestUser(s) in AD:

>> >>> a. Create username/password (ex., TestUser1)

>> >>> b. Ensure that TestUser1 is a member of Domain Users &

>> >>> Remote Desktop Users

>> >>> -   If creating a separate Security Group for 'TS Users',

>> >>> do not mak

> e

>> >>> user member of RDU. Make the Security group (Step 3) member

>> >>> of RDU. 3. Create Security Group for TS Users & TS desktop

>> >>> a. Create a new Security group called 'TS Users' in AD.

>> >>> b. Ensure the 'TS Users' group is a member of RDU group.

>> >> Make sure you add 'TS Users' group to the local 2003 TS

>> >> server RDU group.

>>

>> >>> c. Populate the 'TS Users' group with the user account(s)

>> >>> --her, the Testuser1 account

>> >>> d. Test login to the TS with a user account = ok

>> >>> 4. Edit GPO & Setup Edit for test:

>> >>> a.  In the User Configuration of the GPO, enabled "Remove

>> >>> My COmpute

> r'

>> >>> icon from Start menu

>> >>> b.  Enabled loopback processing

>> >> I have found it easier and more reliable to put the loopback

>> >> processing

>

>> >> in the Computer Configuration section of its own GPO in the

>> >> Terminal Servers OU.  Also, you may want to set it to

>> >> "replace" mode.

>>

>> >> Create a UserConfig GPO in the Terminal Server OU and with

>> >> only your security group.

>>

>> >>> c.  On the Security Tab of the GP, added the TS Machine and

>> >>> the 'TS Users' Security group with Read & Apply settings

>> >> You will want to remove the Authenticated Users group also.

>>

>> >>> b.  Gpupdate/force on DC

>> >>> Problem:

>> >>> The edit to the GP does not work...the 'My Computer icon

>> >>> remian when I

>

>> >>> login into the TS from the XPP client. I had begun with

>> >>> Folder redirection and it wasn't working so I tried

>> >>> something simpler.. Resolution?

>> >>> Based on what I read in a NG posting, I moved my

>> >>> 'Testuser1' user account into the OU with the TS machine

>> >>> and the GP works! Everything (most anyway) I researched

>> >>> prior to this setup indicated to

>

>> >>> not put the user accounts into the new OU. If I move the

>> >>> Security Group I created into the OU (of which TestUser1 is

>> >>> a member of) the GP

>

>> >>> does not work...

>> >> You do not want to put users in the Terminal Servers OU.

>> >>  This OU should be for TS servers only, not users.

>>

>> >>> What is the correct way to apply a GP to a group of Users,

>> >>> such as the

>

>> >>> group 'TS Users'?

>> >>> PS I also read article "Understanding Group Policy in a TS

>> >>> Environment" in which  two GPO are linked to thenew OU -one

>> >>> for the machine & one for the user configuration. Is this a

>> >>> better method?

>> >> I like to do it this way myself.  It helps to keep things

>> >> simplified.

>

>> >> At least for me.

>>

>> >> Basic setup will be:

>>

>> >> OU for TS servers

>> >> ComputerConfig GPO for TS Servers with Loopback processing

>> >> set to replace mode in the Computer Section of the GPO.

>> >> UserConfig GPO - remove Authenticated Users, add TS Users

>> >> group.   - Set all the settings you like in the User section

>> >> of the GPO   - Start small and add more later.

>> >> Add TS Users group to local TS server RDU group.

>> >> You should be good to go.

>>

>> >> You may want to

>> >> checkhttp://www.sessioncomputing.com/how-to.htm also.  Loads

>> >> of info here.

>>

>> >> moncho- Hide quoted text -

>>

>> >> - Show quoted text -- Hide quoted text -

>>

>> >> - Show quoted text -

>>

>> > Thank you both very much for replying. I have the GP working

>> > and here are the things I did to make it work. I just do not

>> > know what fixed it (made more than one thing or all did):

>>

>> > 1. On the GP of the TS OU, I removed Authenticated users from

>> > the Security tab (Filtering). I ensured that the TS machine

>> > and the 'TS Users' group was listed and had Read/Apply

>> > rights.

>>

>> This is to stop the GP from applying to a user in the

>> Administrator group.  You do not want all the restrictions on

>> the admin.

>>

>> > 2. On the GP, checked 'Block Policy Inheritence' -- I read

>> > this in another article but do not see it mentioned often so

>> > had originally not done this.

>> > 3. Made the 'TS Users' group a member of the Local Remote

>> > Desktop Users on the TS.

>> > 4. Ran gpupdate/force on the TS, not the DC.  Did not know

>> > this...and not sure I understand why this is done on the TS

>> > when the DC has Active Directory.

>>

>> You run gpudate /force on the system that you want to update

>> (i.e. TS server or desktop).  It "grabs" the new policy "from"

>> A/D.

>>

>>

>>

>> > Question(s):

>>

>> > 1. Vera, you mention running 'Resultant Set of Policies'. How

>> > is that done specifically -either for a Security group or an

>> > individual User? I should know how to do this for future

>> > troubleshooting...I have read that you need the Resource Kit

>> > to do this?

>>

>> You will do this on a machine or individual user.  I can be

>> done from within the GPMC.

>>

>> Right Click on Group Policy Results -> Group Policy Results

>> Wizard.

>>

>> If you have Windows Firewall enable on the machine you are

>> trying to get the results from, it may block the Wizard.  I do

>> not know what ports to open for this to work correctly.  Maybe

>> Vera knows.

>>

>>

>>

>> > 2. With regards to setting up separate GPOs, one for the

>> > Computer Configuration and one for the Users, what is

>> > considered best practice?

>>

>> Like I mentioned earlier, I think creating two OU's is better.

>>  By keeping the Computer Config GPO with loopback processing

>> separate, it is easier on other admins (IMHO).  I believe this

>> should be a best practice if it is not already.  To me,

>> loopback processing is a "big time" change and should be in its

>> own GPO.  Especially for troubleshooting purposes.

>>

>> moncho- Hide quoted text -

>>

>> - Show quoted text -

>

> Thanks again. You have both been very helpful!

 

Glad you got it solved. And I believe that the solution was point

> 3. Made the 'TS Users' group a member of the Local Remote

> Desktop Users on the TS.

 

That was a good catch, moncho, I missed that!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

Guest moncho

Guest moncho

Posted
Posted

Re: GP/OU Problem/Question

 

Vera Noest [MVP] wrote:

> compsosinc@gmail.com wrote on 15 feb 2008 in

> microsoft.public.windows.terminal_services:

>

>> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:

>>> compsos...@gmail.com wrote:

>>>> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

>>>>> compsos...@gmail.com wrote:

>>>>>> In a VirtualPC setup (test lab), I am using Windows 2003

>>>>>> Server as a DC and a separate Windows 2003 member server as

>>>>>> the TS. I am having a problem getting any Group Policy

>>>>>> changes to take effect for an XP Pro client that logs into

>>>>>> the TS --using what I thought was the proper method of

>>>>>> setting this up. Here are my notes on what I have done so

>>>>>> far:

>>>>>> 1. Create OU & GPO for the TS:

>>>>>> a. In AD of DC, create an OU called: 'Terminal Servers'

>>>>>> b. Move TS machine into this OU.

>>>>>> c. Right click 'Terminal Servers' OU, and go to properties.

>>>>>> Click on GP tab

>>>>>> d. Click 'New' and name GP (ex, TS Users GP)

>>>>>> 2. Create TestUser(s) in AD:

>>>>>> a. Create username/password (ex., TestUser1)

>>>>>> b. Ensure that TestUser1 is a member of Domain Users &

>>>>>> Remote Desktop Users

>>>>>> - If creating a separate Security Group for 'TS Users',

>>>>>> do not mak

>> e

>>>>>> user member of RDU. Make the Security group (Step 3) member

>>>>>> of RDU. 3. Create Security Group for TS Users & TS desktop

>>>>>> a. Create a new Security group called 'TS Users' in AD.

>>>>>> b. Ensure the 'TS Users' group is a member of RDU group.

>>>>> Make sure you add 'TS Users' group to the local 2003 TS

>>>>> server RDU group.

>>>>>> c. Populate the 'TS Users' group with the user account(s)

>>>>>> --her, the Testuser1 account

>>>>>> d. Test login to the TS with a user account = ok

>>>>>> 4. Edit GPO & Setup Edit for test:

>>>>>> a. In the User Configuration of the GPO, enabled "Remove

>>>>>> My COmpute

>> r'

>>>>>> icon from Start menu

>>>>>> b. Enabled loopback processing

>>>>> I have found it easier and more reliable to put the loopback

>>>>> processing

>>>>> in the Computer Configuration section of its own GPO in the

>>>>> Terminal Servers OU. Also, you may want to set it to

>>>>> "replace" mode.

>>>>> Create a UserConfig GPO in the Terminal Server OU and with

>>>>> only your security group.

>>>>>> c. On the Security Tab of the GP, added the TS Machine and

>>>>>> the 'TS Users' Security group with Read & Apply settings

>>>>> You will want to remove the Authenticated Users group also.

>>>>>> b. Gpupdate/force on DC

>>>>>> Problem:

>>>>>> The edit to the GP does not work...the 'My Computer icon

>>>>>> remian when I

>>>>>> login into the TS from the XPP client. I had begun with

>>>>>> Folder redirection and it wasn't working so I tried

>>>>>> something simpler.. Resolution?

>>>>>> Based on what I read in a NG posting, I moved my

>>>>>> 'Testuser1' user account into the OU with the TS machine

>>>>>> and the GP works! Everything (most anyway) I researched

>>>>>> prior to this setup indicated to

>>>>>> not put the user accounts into the new OU. If I move the

>>>>>> Security Group I created into the OU (of which TestUser1 is

>>>>>> a member of) the GP

>>>>>> does not work...

>>>>> You do not want to put users in the Terminal Servers OU.

>>>>> This OU should be for TS servers only, not users.

>>>>>> What is the correct way to apply a GP to a group of Users,

>>>>>> such as the

>>>>>> group 'TS Users'?

>>>>>> PS I also read article "Understanding Group Policy in a TS

>>>>>> Environment" in which two GPO are linked to thenew OU -one

>>>>>> for the machine & one for the user configuration. Is this a

>>>>>> better method?

>>>>> I like to do it this way myself. It helps to keep things

>>>>> simplified.

>>>>> At least for me.

>>>>> Basic setup will be:

>>>>> OU for TS servers

>>>>> ComputerConfig GPO for TS Servers with Loopback processing

>>>>> set to replace mode in the Computer Section of the GPO.

>>>>> UserConfig GPO - remove Authenticated Users, add TS Users

>>>>> group. - Set all the settings you like in the User section

>>>>> of the GPO - Start small and add more later.

>>>>> Add TS Users group to local TS server RDU group.

>>>>> You should be good to go.

>>>>> You may want to

>>>>> checkhttp://www.sessioncomputing.com/how-to.htm also. Loads

>>>>> of info here.

>>>>> moncho- Hide quoted text -

>>>>> - Show quoted text -- Hide quoted text -

>>>>> - Show quoted text -

>>>> Thank you both very much for replying. I have the GP working

>>>> and here are the things I did to make it work. I just do not

>>>> know what fixed it (made more than one thing or all did):

>>>> 1. On the GP of the TS OU, I removed Authenticated users from

>>>> the Security tab (Filtering). I ensured that the TS machine

>>>> and the 'TS Users' group was listed and had Read/Apply

>>>> rights.

>>> This is to stop the GP from applying to a user in the

>>> Administrator group. You do not want all the restrictions on

>>> the admin.

>>>

>>>> 2. On the GP, checked 'Block Policy Inheritence' -- I read

>>>> this in another article but do not see it mentioned often so

>>>> had originally not done this.

>>>> 3. Made the 'TS Users' group a member of the Local Remote

>>>> Desktop Users on the TS.

>>>> 4. Ran gpupdate/force on the TS, not the DC. Did not know

>>>> this...and not sure I understand why this is done on the TS

>>>> when the DC has Active Directory.

>>> You run gpudate /force on the system that you want to update

>>> (i.e. TS server or desktop). It "grabs" the new policy "from"

>>> A/D.

>>>

>>>

>>>

>>>> Question(s):

>>>> 1. Vera, you mention running 'Resultant Set of Policies'. How

>>>> is that done specifically -either for a Security group or an

>>>> individual User? I should know how to do this for future

>>>> troubleshooting...I have read that you need the Resource Kit

>>>> to do this?

>>> You will do this on a machine or individual user. I can be

>>> done from within the GPMC.

>>>

>>> Right Click on Group Policy Results -> Group Policy Results

>>> Wizard.

>>>

>>> If you have Windows Firewall enable on the machine you are

>>> trying to get the results from, it may block the Wizard. I do

>>> not know what ports to open for this to work correctly. Maybe

>>> Vera knows.

>>>

>>>

>>>

>>>> 2. With regards to setting up separate GPOs, one for the

>>>> Computer Configuration and one for the Users, what is

>>>> considered best practice?

>>> Like I mentioned earlier, I think creating two OU's is better.

>>> By keeping the Computer Config GPO with loopback processing

>>> separate, it is easier on other admins (IMHO). I believe this

>>> should be a best practice if it is not already. To me,

>>> loopback processing is a "big time" change and should be in its

>>> own GPO. Especially for troubleshooting purposes.

>>>

>>> moncho- Hide quoted text -

>>>

>>> - Show quoted text -

>> Thanks again. You have both been very helpful!

>

> Glad you got it solved. And I believe that the solution was point

>> 3. Made the 'TS Users' group a member of the Local Remote

>> Desktop Users on the TS.

>

> That was a good catch, moncho, I missed that!

 

Thanks Vera. I appreciate that.

 

I wonder if MS could come up with some way in A/D to just add users

to the domain RDU group and be done. That would make life easier.

I know there would need to be a way to limit the domain RDU to

specific machines for security reasons though...

 

moncho

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: GP/OU Problem/Question

 

moncho <moncho@NOspmanywhere.com> wrote on 16 feb 2008 in

microsoft.public.windows.terminal_services:

> Vera Noest [MVP] wrote:

>> compsosinc@gmail.com wrote on 15 feb 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:

>>>> compsos...@gmail.com wrote:

>>>>> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:

>>>>>> compsos...@gmail.com wrote:

>>>>>>> In a VirtualPC setup (test lab), I am using Windows 2003

>>>>>>> Server as a DC and a separate Windows 2003 member server as

>>>>>>> the TS. I am having a problem getting any Group Policy

>>>>>>> changes to take effect for an XP Pro client that logs into

>>>>>>> the TS --using what I thought was the proper method of

>>>>>>> setting this up. Here are my notes on what I have done so

>>>>>>> far:

>>>>>>> 1. Create OU & GPO for the TS:

>>>>>>> a. In AD of DC, create an OU called: 'Terminal Servers'

>>>>>>> b. Move TS machine into this OU.

>>>>>>> c. Right click 'Terminal Servers' OU, and go to properties.

>>>>>>> Click on GP tab

>>>>>>> d. Click 'New' and name GP (ex, TS Users GP)

>>>>>>> 2. Create TestUser(s) in AD:

>>>>>>> a. Create username/password (ex., TestUser1)

>>>>>>> b. Ensure that TestUser1 is a member of Domain Users &

>>>>>>> Remote Desktop Users

>>>>>>> - If creating a separate Security Group for 'TS Users',

>>>>>>> do not mak

>>> e

>>>>>>> user member of RDU. Make the Security group (Step 3) member

>>>>>>> of RDU. 3. Create Security Group for TS Users & TS desktop

>>>>>>> a. Create a new Security group called 'TS Users' in AD.

>>>>>>> b. Ensure the 'TS Users' group is a member of RDU group.

>>>>>> Make sure you add 'TS Users' group to the local 2003 TS

>>>>>> server RDU group.

>>>>>>> c. Populate the 'TS Users' group with the user account(s)

>>>>>>> --her, the Testuser1 account

>>>>>>> d. Test login to the TS with a user account = ok

>>>>>>> 4. Edit GPO & Setup Edit for test:

>>>>>>> a. In the User Configuration of the GPO, enabled "Remove

>>>>>>> My COmpute

>>> r'

>>>>>>> icon from Start menu

>>>>>>> b. Enabled loopback processing

>>>>>> I have found it easier and more reliable to put the loopback

>>>>>> processing

>>>>>> in the Computer Configuration section of its own GPO in the

>>>>>> Terminal Servers OU. Also, you may want to set it to

>>>>>> "replace" mode.

>>>>>> Create a UserConfig GPO in the Terminal Server OU and with

>>>>>> only your security group.

>>>>>>> c. On the Security Tab of the GP, added the TS Machine and

>>>>>>> the 'TS Users' Security group with Read & Apply settings

>>>>>> You will want to remove the Authenticated Users group also.

>>>>>>> b. Gpupdate/force on DC

>>>>>>> Problem:

>>>>>>> The edit to the GP does not work...the 'My Computer icon

>>>>>>> remian when I

>>>>>>> login into the TS from the XPP client. I had begun with

>>>>>>> Folder redirection and it wasn't working so I tried

>>>>>>> something simpler.. Resolution?

>>>>>>> Based on what I read in a NG posting, I moved my

>>>>>>> 'Testuser1' user account into the OU with the TS machine

>>>>>>> and the GP works! Everything (most anyway) I researched

>>>>>>> prior to this setup indicated to

>>>>>>> not put the user accounts into the new OU. If I move the

>>>>>>> Security Group I created into the OU (of which TestUser1 is

>>>>>>> a member of) the GP

>>>>>>> does not work...

>>>>>> You do not want to put users in the Terminal Servers OU.

>>>>>> This OU should be for TS servers only, not users.

>>>>>>> What is the correct way to apply a GP to a group of Users,

>>>>>>> such as the

>>>>>>> group 'TS Users'?

>>>>>>> PS I also read article "Understanding Group Policy in a TS

>>>>>>> Environment" in which two GPO are linked to thenew OU -one

>>>>>>> for the machine & one for the user configuration. Is this a

>>>>>>> better method?

>>>>>> I like to do it this way myself. It helps to keep things

>>>>>> simplified.

>>>>>> At least for me.

>>>>>> Basic setup will be:

>>>>>> OU for TS servers

>>>>>> ComputerConfig GPO for TS Servers with Loopback processing

>>>>>> set to replace mode in the Computer Section of the GPO.

>>>>>> UserConfig GPO - remove Authenticated Users, add TS Users

>>>>>> group. - Set all the settings you like in the User section

>>>>>> of the GPO - Start small and add more later.

>>>>>> Add TS Users group to local TS server RDU group.

>>>>>> You should be good to go.

>>>>>> You may want to

>>>>>> checkhttp://www.sessioncomputing.com/how-to.htm also. Loads

>>>>>> of info here.

>>>>>> moncho- Hide quoted text -

>>>>>> - Show quoted text -- Hide quoted text -

>>>>>> - Show quoted text -

>>>>> Thank you both very much for replying. I have the GP working

>>>>> and here are the things I did to make it work. I just do not

>>>>> know what fixed it (made more than one thing or all did):

>>>>> 1. On the GP of the TS OU, I removed Authenticated users from

>>>>> the Security tab (Filtering). I ensured that the TS machine

>>>>> and the 'TS Users' group was listed and had Read/Apply

>>>>> rights.

>>>> This is to stop the GP from applying to a user in the

>>>> Administrator group. You do not want all the restrictions on

>>>> the admin.

>>>>

>>>>> 2. On the GP, checked 'Block Policy Inheritence' -- I read

>>>>> this in another article but do not see it mentioned often so

>>>>> had originally not done this.

>>>>> 3. Made the 'TS Users' group a member of the Local Remote

>>>>> Desktop Users on the TS.

>>>>> 4. Ran gpupdate/force on the TS, not the DC. Did not know

>>>>> this...and not sure I understand why this is done on the TS

>>>>> when the DC has Active Directory.

>>>> You run gpudate /force on the system that you want to update

>>>> (i.e. TS server or desktop). It "grabs" the new policy "from"

>>>> A/D.

>>>>

>>>>

>>>>

>>>>> Question(s):

>>>>> 1. Vera, you mention running 'Resultant Set of Policies'. How

>>>>> is that done specifically -either for a Security group or an

>>>>> individual User? I should know how to do this for future

>>>>> troubleshooting...I have read that you need the Resource Kit

>>>>> to do this?

>>>> You will do this on a machine or individual user. I can be

>>>> done from within the GPMC.

>>>>

>>>> Right Click on Group Policy Results -> Group Policy Results

>>>> Wizard.

>>>>

>>>> If you have Windows Firewall enable on the machine you are

>>>> trying to get the results from, it may block the Wizard. I do

>>>> not know what ports to open for this to work correctly. Maybe

>>>> Vera knows.

>>>>

>>>>

>>>>

>>>>> 2. With regards to setting up separate GPOs, one for the

>>>>> Computer Configuration and one for the Users, what is

>>>>> considered best practice?

>>>> Like I mentioned earlier, I think creating two OU's is better.

>>>> By keeping the Computer Config GPO with loopback processing

>>>> separate, it is easier on other admins (IMHO). I believe this

>>>> should be a best practice if it is not already. To me,

>>>> loopback processing is a "big time" change and should be in

its

>>>> own GPO. Especially for troubleshooting purposes.

>>>>

>>>> moncho- Hide quoted text -

>>>>

>>>> - Show quoted text -

>>> Thanks again. You have both been very helpful!

>>

>> Glad you got it solved. And I believe that the solution was

point

>>> 3. Made the 'TS Users' group a member of the Local Remote

>>> Desktop Users on the TS.

>>

>> That was a good catch, moncho, I missed that!

>

> Thanks Vera. I appreciate that.

>

> I wonder if MS could come up with some way in A/D to just add

users

> to the domain RDU group and be done. That would make life

easier.

> I know there would need to be a way to limit the domain RDU to

> specific machines for security reasons though...

>

> moncho

 

Well, you can make a habit of adding the domain-wide RDU group to

the local RDU group on every TS, and then add users to the domain-

wide RDU group. But as you say, that's only a more efficient if all

users have access to all Terminal Servers.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

  • 4 weeks later...
Guest TP

Guest TP

Posted
Posted

Re: GP/OU Problem/Question

 

Hi Vera,

 

There is no domain-wide RDU group, it is actually a builtin-local

group for the DCs. You can't make a local group a member of

another machine's local group.

 

To accomplish the goal they would need to create a group on the

domain and then make it a member of each terminal server's local

RDU group.

 

-TP

 

Vera Noest [MVP] wrote:

> Well, you can make a habit of adding the domain-wide RDU group to

> the local RDU group on every TS, and then add users to the domain-

> wide RDU group. But as you say, that's only a more efficient if all

> users have access to all Terminal Servers.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

 Share
Go to topic listing
×
×
  • Create New...