Jump to content

Locking down local destops question

Guest compsosinc@gmail.com

By Guest compsosinc@gmail.com
in Windows NT Server

 Share

Recommended Posts

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

In a test environment, we have setup an SBS2000 DC with a Windows 2003

TS and XP Pro clients. We have successfully applied a GPO to the OU

that contains the TS for the Testusers and the TS desktop is locked

down-- with the exception of a few items we cannot remove using a

Windows2000 GP editor. We followed the standard procedure of moving

the TS into is own OU, adding the Testusers group to the Security,

removing 'Authenticated Users' from Security, adding thte TS machine

to the Security. We also enabled "loopback processing" with the

'Replace' option.

 

On the XP Pro clients, the Testusers have no reason to use any local

resources as they only use what we give them on the TS. So, since

loopback policy is enabled with the "Replace" option it has freed up

the local desktop environment. We would also like to lock these down

so that the users cannot get into Windows Explorer, Internet (we

blocked with proxy setting), My Computer, and if they stick in a flash

drive it does not read it, etc. They do not print anything locally.

 

How is the best way to approach locking down the local desktops? There

will be (10) computers involved.

 

1. For instance, do we not use the 'Replace' option on loopback

processing?

 

2. And/or do we put the (10) XP desktops into their own OU and create

a GP just for them?

 

Thanks

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Locking down local destops question

 

I would definitively use your method 2, i.e. place the computer

accounts for the XP clients in a separate OU and create a separate

GPO linked to this OU to lock them down.

 

Sooner or later, you will probably want to have one or more

settings which are different on the TS and the XP clients, and by

creating different GPOs from the beginning, you have this

flexibility.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

compsosinc@gmail.com wrote on 29 feb 2008 in

microsoft.public.windows.terminal_services:

> In a test environment, we have setup an SBS2000 DC with a

> Windows 2003 TS and XP Pro clients. We have successfully applied

> a GPO to the OU that contains the TS for the Testusers and the

> TS desktop is locked down-- with the exception of a few items we

> cannot remove using a Windows2000 GP editor. We followed the

> standard procedure of moving the TS into is own OU, adding the

> Testusers group to the Security, removing 'Authenticated Users'

> from Security, adding thte TS machine to the Security. We also

> enabled "loopback processing" with the 'Replace' option.

>

> On the XP Pro clients, the Testusers have no reason to use any

> local resources as they only use what we give them on the TS.

> So, since loopback policy is enabled with the "Replace" option

> it has freed up the local desktop environment. We would also

> like to lock these down so that the users cannot get into

> Windows Explorer, Internet (we blocked with proxy setting), My

> Computer, and if they stick in a flash drive it does not read

> it, etc. They do not print anything locally.

>

> How is the best way to approach locking down the local desktops?

> There will be (10) computers involved.

>

> 1. For instance, do we not use the 'Replace' option on loopback

> processing?

>

> 2. And/or do we put the (10) XP desktops into their own OU and

> create a GP just for them?

>

> Thanks

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: Locking down local destops question

 

On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

this.hem.utfors.se> wrote:

> I would definitively use your method 2, i.e. place the computer

> accounts for the XP clients in a separate OU and create a separate

> GPO linked to this OU to lock them down.

>

> Sooner or later, you will probably want to have one or more

> settings which are different on the TS and the XP clients, and by

> creating different GPOs from the beginning, you have this

> flexibility.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting:  http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> compsos...@gmail.com wrote on 29 feb 2008 in

> microsoft.public.windows.terminal_services:

>

>

>

> > In a test environment, we have setup an SBS2000 DC with a

> > Windows 2003 TS and XP Pro clients. We have successfully applied

> > a GPO to the OU that contains the TS for the Testusers and the

> > TS desktop is locked down-- with the exception of a few items we

> > cannot remove using a Windows2000 GP editor. We followed the

> > standard procedure of moving the TS into is own OU, adding the

> > Testusers group to the Security, removing 'Authenticated Users'

> > from Security, adding thte TS machine to the Security. We also

> > enabled "loopback processing" with the 'Replace' option.

>

> > On the XP Pro clients, the Testusers have no reason to use any

> > local resources as they only use what we give them on the TS.

> > So, since loopback policy is enabled with the "Replace" option

> > it has freed up the local desktop environment. We would also

> > like to lock these down so that the users cannot get into

> > Windows Explorer, Internet (we blocked with proxy setting), My

> > Computer, and if they stick in a flash drive it does not read

> > it, etc. They do not print anything locally.

>

> > How is the best way to approach locking down the local desktops?

> > There will be (10) computers involved.

>

> > 1.  For instance, do we not use the 'Replace' option on loopback

> > processing?

>

> > 2. And/or do we put the (10) XP desktops into their own OU and

> > create a GP just for them?

>

> > Thanks- Hide quoted text -

>

> - Show quoted text -

 

Thank you so much. Will get to work on this and may post additional

questions later.

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: Locking down local destops question

 

On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

this.hem.utfors.se> wrote:

> I would definitively use your method 2, i.e. place the computer

> accounts for the XP clients in a separate OU and create a separate

> GPO linked to this OU to lock them down.

>

> Sooner or later, you will probably want to have one or more

> settings which are different on the TS and the XP clients, and by

> creating different GPOs from the beginning, you have this

> flexibility.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting:  http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> compsos...@gmail.com wrote on 29 feb 2008 in

> microsoft.public.windows.terminal_services:

>

>

>

> > In a test environment, we have setup an SBS2000 DC with a

> > Windows 2003 TS and XP Pro clients. We have successfully applied

> > a GPO to the OU that contains the TS for the Testusers and the

> > TS desktop is locked down-- with the exception of a few items we

> > cannot remove using a Windows2000 GP editor. We followed the

> > standard procedure of moving the TS into is own OU, adding the

> > Testusers group to the Security, removing 'Authenticated Users'

> > from Security, adding thte TS machine to the Security. We also

> > enabled "loopback processing" with the 'Replace' option.

>

> > On the XP Pro clients, the Testusers have no reason to use any

> > local resources as they only use what we give them on the TS.

> > So, since loopback policy is enabled with the "Replace" option

> > it has freed up the local desktop environment. We would also

> > like to lock these down so that the users cannot get into

> > Windows Explorer, Internet (we blocked with proxy setting), My

> > Computer, and if they stick in a flash drive it does not read

> > it, etc. They do not print anything locally.

>

> > How is the best way to approach locking down the local desktops?

> > There will be (10) computers involved.

>

> > 1.  For instance, do we not use the 'Replace' option on loopback

> > processing?

>

> > 2. And/or do we put the (10) XP desktops into their own OU and

> > create a GP just for them?

>

> > Thanks- Hide quoted text -

>

> - Show quoted text -

 

I am having a problem getting any GPO settings to take effect for

controlling the local desktop environment on a "test computer". The

GPO for logging into the TS is working fine as the TS desktop is

restricted the way we want it to be.

 

Here is what we tried:

 

1. Created an OU called TSClientPCs.

2. Moved an XP Pro workstation from the "Computers" container into

this new OU.

3. Created a new GPO (called gpoTSClients) for this OU and checked

"Block Policy Inheritance."

4. On the Security Tab of this GPO, the following is listed: Domain

Admins (Deny Policy); System; TS Users (read/apply policy) & XPP1VD

(the workstation's desktops we are trying to customize/restrict --set

to Read/Apply Policy)

5. We are logging into the domain on the XPP1VD workstation with a

User Account that is in the 'TS Users' group.

6. In the User Configuration of the GPO in Step 3, as a test, we tried

to remove the "Run" command from the Start Menu.

 

7. We ran gpupdate/force on the DC and on the XP workstation.

8. We rebooted the workstation.

 

9. The configuration/restriction in Step 6 did not work.

 

Why is this not working?

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Locking down local destops question

 

compsosinc@gmail.com wrote on 03 mar 2008:

> On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

> this.hem.utfors.se> wrote:

>> I would definitively use your method 2, i.e. place the computer

>> accounts for the XP clients in a separate OU and create a

>> separate GPO linked to this OU to lock them down.

>>

>> Sooner or later, you will probably want to have one or more

>> settings which are different on the TS and the XP clients, and

>> by creating different GPOs from the beginning, you have this

>> flexibility.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting:  http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> compsos...@gmail.com wrote on 29 feb 2008 in

>> microsoft.public.windows.terminal_services:

>>

>>

>>

>> > In a test environment, we have setup an SBS2000 DC with a

>> > Windows 2003 TS and XP Pro clients. We have successfully

>> > applied a GPO to the OU that contains the TS for the

>> > Testusers and the TS desktop is locked down-- with the

>> > exception of a few items we cannot remove using a Windows2000

>> > GP editor. We followed the standard procedure of moving the

>> > TS into is own OU, adding the Testusers group to the

>> > Security, removing 'Authenticated Users' from Security,

>> > adding thte TS machine to the Security. We also enabled

>> > "loopback processing" with the 'Replace' option.

>>

>> > On the XP Pro clients, the Testusers have no reason to use

>> > any local resources as they only use what we give them on the

>> > TS. So, since loopback policy is enabled with the "Replace"

>> > option it has freed up the local desktop environment. We

>> > would also like to lock these down so that the users cannot

>> > get into Windows Explorer, Internet (we blocked with proxy

>> > setting), My Computer, and if they stick in a flash drive it

>> > does not read it, etc. They do not print anything locally.

>>

>> > How is the best way to approach locking down the local

>> > desktops? There will be (10) computers involved.

>>

>> > 1.  For instance, do we not use the 'Replace' option on

>> > loopback processing?

>>

>> > 2. And/or do we put the (10) XP desktops into their own OU

>> > and create a GP just for them?

>>

>> > Thanks- Hide quoted text -

>>

>> - Show quoted text -

>

> I am having a problem getting any GPO settings to take effect

> for controlling the local desktop environment on a "test

> computer". The GPO for logging into the TS is working fine as

> the TS desktop is restricted the way we want it to be.

>

> Here is what we tried:

>

> 1. Created an OU called TSClientPCs.

> 2. Moved an XP Pro workstation from the "Computers" container

> into this new OU.

> 3. Created a new GPO (called gpoTSClients) for this OU and

> checked "Block Policy Inheritance."

> 4. On the Security Tab of this GPO, the following is listed:

> Domain Admins (Deny Policy); System; TS Users (read/apply

> policy) & XPP1VD (the workstation's desktops we are trying to

> customize/restrict --set to Read/Apply Policy)

> 5. We are logging into the domain on the XPP1VD workstation with

> a User Account that is in the 'TS Users' group.

> 6. In the User Configuration of the GPO in Step 3, as a test, we

> tried to remove the "Run" command from the Start Menu.

>

> 7. We ran gpupdate/force on the DC and on the XP workstation.

> 8. We rebooted the workstation.

>

> 9. The configuration/restriction in Step 6 did not work.

>

> Why is this not working?

 

Because you configure a User setting in a GPO which is linked to an

OU which contains a computer.

 

For this to work, you need either to use loopback processing of the

GPO, or you need to configure the User setting in a GPO which is

linked to the OU which contains the user account.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: Locking down local destops question

 

On Mar 3, 9:43 am, "Vera Noest [MVP]" <Vera.No...@remove-

this.hem.utfors.se> wrote:

> compsos...@gmail.com wrote on 03 mar 2008:

>

>

>

>

>

> > On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

> > this.hem.utfors.se> wrote:

> >> I would definitively use your method 2, i.e. place the computer

> >> accounts for the XP clients in a separate OU and create a

> >> separate GPO linked to this OU to lock them down.

>

> >> Sooner or later, you will probably want to have one or more

> >> settings which are different on the TS and the XP clients, and

> >> by creating different GPOs from the beginning, you have this

> >> flexibility.

>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting:  http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

>

> >> compsos...@gmail.com wrote on 29 feb 2008 in

> >> microsoft.public.windows.terminal_services:

>

> >> > In a test environment, we have setup an SBS2000 DC with a

> >> > Windows 2003 TS and XP Pro clients. We have successfully

> >> > applied a GPO to the OU that contains the TS for the

> >> > Testusers and the TS desktop is locked down-- with the

> >> > exception of a few items we cannot remove using a Windows2000

> >> > GP editor. We followed the standard procedure of moving the

> >> > TS into is own OU, adding the Testusers group to the

> >> > Security, removing 'Authenticated Users' from Security,

> >> > adding thte TS machine to the Security. We also enabled

> >> > "loopback processing" with the 'Replace' option.

>

> >> > On the XP Pro clients, the Testusers have no reason to use

> >> > any local resources as they only use what we give them on the

> >> > TS. So, since loopback policy is enabled with the "Replace"

> >> > option it has freed up the local desktop environment. We

> >> > would also like to lock these down so that the users cannot

> >> > get into Windows Explorer, Internet (we blocked with proxy

> >> > setting), My Computer, and if they stick in a flash drive it

> >> > does not read it, etc. They do not print anything locally.

>

> >> > How is the best way to approach locking down the local

> >> > desktops? There will be (10) computers involved.

>

> >> > 1.  For instance, do we not use the 'Replace' option on

> >> > loopback processing?

>

> >> > 2. And/or do we put the (10) XP desktops into their own OU

> >> > and create a GP just for them?

>

> >> > Thanks- Hide quoted text -

>

> >> - Show quoted text -

>

> > I am having a problem getting any GPO settings to take effect

> > for controlling the local desktop environment on a "test

> > computer".  The GPO for logging into the TS is working fine as

> > the TS desktop is restricted the way we want it to be.

>

> > Here is what we tried:

>

> > 1. Created an OU called TSClientPCs.

> > 2. Moved an XP Pro workstation from the "Computers" container

> > into this new OU.

> > 3. Created a new GPO (called gpoTSClients) for this OU and

> > checked "Block Policy Inheritance."

> > 4. On the Security Tab of this GPO, the following is listed:

> > Domain Admins (Deny Policy); System; TS Users (read/apply

> > policy) & XPP1VD (the workstation's desktops we are trying to

> > customize/restrict --set to Read/Apply Policy)

> > 5. We are logging into the domain on the XPP1VD workstation with

> > a User Account that is in the 'TS Users' group.

> > 6. In the User Configuration of the GPO in Step 3, as a test, we

> > tried to remove the "Run" command from the Start Menu.

>

> > 7. We ran gpupdate/force on the DC and on the XP workstation.

> > 8. We rebooted the workstation.

>

> > 9. The configuration/restriction in Step 6 did not work.

>

> > Why is this not working?

>

> Because you configure a User setting in a GPO which is linked to an

> OU which contains a computer.

>

> For this to work, you need either to use loopback processing of the

> GPO, or you need to configure the User setting in a GPO which is

> linked to the OU which contains the user account.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting:  http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*- Hide quoted text -

>

> - Show quoted text -

 

Ok we figured out that if we "User setting in a GPO which is linked to

the OU which contains the user account." it works. But since we do not

want to move the User accounts into their own OU so we are trying "use

loopback processing of the GPO" for the 'TSClientPCs' OU that

currently contains (1) XP Pro workstation. For clarification, we have

a couple questions:

 

1. For the GPO linked to the TSClientPCs OU, what should be listed on

the Security Tab? We have, with read/apply policy, the following:

System (Read, Write, Create, Delete only)

TS Users (Read, Apply) - member of Remote Desktop

Users

XPP1 (Read/Apply) - this is the workstation whose

local desktop we want to control for any TS User.

 

Domain Admin (Deny)

 

We removed the "Authenticated Users"

We checked "Block Policy Inheritance"

 

Note: this structure of the Security Tab is identical to the one we

have for the GPO on the OU which contains the TS.

 

Does this look correct? Do we need to implement any "Override

settings"?

 

 

2. When we make changes to this GPO, how do we force the changes - on

the DC or the workstation?

 

Thanks again..

Guest compsosinc@gmail.com

Guest compsosinc@gmail.com

Posted
Posted

Re: Locking down local destops question

 

On Mar 3, 10:27 am, compsos...@gmail.com wrote:

> On Mar 3, 9:43 am, "Vera Noest [MVP]" <Vera.No...@remove-

>

>

>

>

>

> this.hem.utfors.se> wrote:

> > compsos...@gmail.com wrote on 03 mar 2008:

>

> > > On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

> > > this.hem.utfors.se> wrote:

> > >> I would definitively use your method 2, i.e. place the computer

> > >> accounts for the XP clients in a separate OU and create a

> > >> separate GPO linked to this OU to lock them down.

>

> > >> Sooner or later, you will probably want to have one or more

> > >> settings which are different on the TS and the XP clients, and

> > >> by creating different GPOs from the beginning, you have this

> > >> flexibility.

>

> > >> _________________________________________________________

> > >> Vera Noest

> > >> MCSE, CCEA, Microsoft MVP - Terminal Server

> > >> TS troubleshooting:  http://ts.veranoest.net

> > >> ___ please respond in newsgroup, NOT by private email ___

>

> > >> compsos...@gmail.com wrote on 29 feb 2008 in

> > >> microsoft.public.windows.terminal_services:

>

> > >> > In a test environment, we have setup an SBS2000 DC with a

> > >> > Windows 2003 TS and XP Pro clients. We have successfully

> > >> > applied a GPO to the OU that contains the TS for the

> > >> > Testusers and the TS desktop is locked down-- with the

> > >> > exception of a few items we cannot remove using a Windows2000

> > >> > GP editor. We followed the standard procedure of moving the

> > >> > TS into is own OU, adding the Testusers group to the

> > >> > Security, removing 'Authenticated Users' from Security,

> > >> > adding thte TS machine to the Security. We also enabled

> > >> > "loopback processing" with the 'Replace' option.

>

> > >> > On the XP Pro clients, the Testusers have no reason to use

> > >> > any local resources as they only use what we give them on the

> > >> > TS. So, since loopback policy is enabled with the "Replace"

> > >> > option it has freed up the local desktop environment. We

> > >> > would also like to lock these down so that the users cannot

> > >> > get into Windows Explorer, Internet (we blocked with proxy

> > >> > setting), My Computer, and if they stick in a flash drive it

> > >> > does not read it, etc. They do not print anything locally.

>

> > >> > How is the best way to approach locking down the local

> > >> > desktops? There will be (10) computers involved.

>

> > >> > 1.  For instance, do we not use the 'Replace' option on

> > >> > loopback processing?

>

> > >> > 2. And/or do we put the (10) XP desktops into their own OU

> > >> > and create a GP just for them?

>

> > >> > Thanks- Hide quoted text -

>

> > >> - Show quoted text -

>

> > > I am having a problem getting any GPO settings to take effect

> > > for controlling the local desktop environment on a "test

> > > computer".  The GPO for logging into the TS is working fine as

> > > the TS desktop is restricted the way we want it to be.

>

> > > Here is what we tried:

>

> > > 1. Created an OU called TSClientPCs.

> > > 2. Moved an XP Pro workstation from the "Computers" container

> > > into this new OU.

> > > 3. Created a new GPO (called gpoTSClients) for this OU and

> > > checked "Block Policy Inheritance."

> > > 4. On the Security Tab of this GPO, the following is listed:

> > > Domain Admins (Deny Policy); System; TS Users (read/apply

> > > policy) & XPP1VD (the workstation's desktops we are trying to

> > > customize/restrict --set to Read/Apply Policy)

> > > 5. We are logging into the domain on the XPP1VD workstation with

> > > a User Account that is in the 'TS Users' group.

> > > 6. In the User Configuration of the GPO in Step 3, as a test, we

> > > tried to remove the "Run" command from the Start Menu.

>

> > > 7. We ran gpupdate/force on the DC and on the XP workstation.

> > > 8. We rebooted the workstation.

>

> > > 9. The configuration/restriction in Step 6 did not work.

>

> > > Why is this not working?

>

> > Because you configure a User setting in a GPO which is linked to an

> > OU which contains a computer.

>

> > For this to work, you need either to use loopback processing of the

> > GPO, or you need to configure the User setting in a GPO which is

> > linked to the OU which contains the user account.

>

> > _________________________________________________________

> > Vera Noest

> > MCSE, CCEA, Microsoft MVP - Terminal Server

> > TS troubleshooting:  http://ts.veranoest.net

> > *----------- Please reply in newsgroup -------------*- Hide quoted text -

>

> > - Show quoted text -

>

> Ok we figured out that if we "User setting in a GPO which is linked to

> the OU which contains the user account." it works. But since we do not

> want to move the User accounts into their own OU so we are trying "use

> loopback processing of the GPO" for the 'TSClientPCs' OU that

> currently contains (1) XP Pro workstation. For clarification, we have

> a couple questions:

>

> 1. For the GPO linked to the TSClientPCs OU, what should be listed on

> the Security Tab? We have, with read/apply policy, the following:

>                 System (Read, Write, Create, Delete only)

>                 TS Users (Read, Apply) - member of Remote Desktop

> Users

>                 XPP1 (Read/Apply)  - this is the workstation whose

> local desktop we want to control for any TS User.

>

>                  Domain Admin (Deny)

>

>                 We removed the "Authenticated Users"

>                  We checked "Block Policy Inheritance"

>

> Note: this structure of the Security Tab is identical to the one we

> have for the GPO on the OU which contains the TS.

>

> Does this look correct? Do we need to implement any "Override

> settings"?

>

> 2. When we make changes to this GPO, how do we force the changes - on

> the DC or the workstation?

>

> Thanks again..- Hide quoted text -

>

> - Show quoted text -

 

We just redid everything based on my last reply and Voila! --it's

working for the local desktops!

 

Thanks so much and we were able to answer Question #2 in the

process..Your replies are very helpful...

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Locking down local destops question

 

compsosinc@gmail.com wrote on 03 mar 2008 in

microsoft.public.windows.terminal_services:

> On Mar 3, 10:27 am, compsos...@gmail.com wrote:

>> On Mar 3, 9:43 am, "Vera Noest [MVP]" <Vera.No...@remove-

>>

>>

>>

>>

>>

>> this.hem.utfors.se> wrote:

>> > compsos...@gmail.com wrote on 03 mar 2008:

>>

>> > > On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-

>> > > this.hem.utfors.se> wrote:

>> > >> I would definitively use your method 2, i.e. place the

>> > >> computer accounts for the XP clients in a separate OU and

>> > >> create a separate GPO linked to this OU to lock them down.

>>

>> > >> Sooner or later, you will probably want to have one or

>> > >> more settings which are different on the TS and the XP

>> > >> clients, and by creating different GPOs from the

>> > >> beginning, you have this flexibility.

>>

>> > >> _________________________________________________________

>> > >> Vera Noest

>> > >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> > >> TS troubleshooting:  http://ts.veranoest.net

>> > >> ___ please respond in newsgroup, NOT by private email ___

>>

>> > >> compsos...@gmail.com wrote on 29 feb 2008 in

>> > >> microsoft.public.windows.terminal_services:

>>

>> > >> > In a test environment, we have setup an SBS2000 DC with

>> > >> > a Windows 2003 TS and XP Pro clients. We have

>> > >> > successfully applied a GPO to the OU that contains the

>> > >> > TS for the Testusers and the TS desktop is locked down--

>> > >> > with the exception of a few items we cannot remove using

>> > >> > a Windows2000 GP editor. We followed the standard

>> > >> > procedure of moving the TS into is own OU, adding the

>> > >> > Testusers group to the Security, removing 'Authenticated

>> > >> > Users' from Security, adding thte TS machine to the

>> > >> > Security. We also enabled "loopback processing" with the

>> > >> > 'Replace' option.

>>

>> > >> > On the XP Pro clients, the Testusers have no reason to

>> > >> > use any local resources as they only use what we give

>> > >> > them on the TS. So, since loopback policy is enabled

>> > >> > with the "Replace" option it has freed up the local

>> > >> > desktop environment. We would also like to lock these

>> > >> > down so that the users cannot get into Windows Explorer,

>> > >> > Internet (we blocked with proxy setting), My Computer,

>> > >> > and if they stick in a flash drive it does not read it,

>> > >> > etc. They do not print anything locally.

>>

>> > >> > How is the best way to approach locking down the local

>> > >> > desktops? There will be (10) computers involved.

>>

>> > >> > 1.  For instance, do we not use the 'Replace' option on

>> > >> > loopback processing?

>>

>> > >> > 2. And/or do we put the (10) XP desktops into their own

>> > >> > OU and create a GP just for them?

>>

>> > >> > Thanks- Hide quoted text -

>>

>> > >> - Show quoted text -

>>

>> > > I am having a problem getting any GPO settings to take

>> > > effect for controlling the local desktop environment on a

>> > > "test computer".  The GPO for logging into the TS is

>> > > working fine as the TS desktop is restricted the way we

>> > > want it to be.

>>

>> > > Here is what we tried:

>>

>> > > 1. Created an OU called TSClientPCs.

>> > > 2. Moved an XP Pro workstation from the "Computers"

>> > > container into this new OU.

>> > > 3. Created a new GPO (called gpoTSClients) for this OU and

>> > > checked "Block Policy Inheritance."

>> > > 4. On the Security Tab of this GPO, the following is

>> > > listed: Domain Admins (Deny Policy); System; TS Users

>> > > (read/apply policy) & XPP1VD (the workstation's desktops we

>> > > are trying to customize/restrict --set to Read/Apply

>> > > Policy) 5. We are logging into the domain on the XPP1VD

>> > > workstation with a User Account that is in the 'TS Users'

>> > > group. 6. In the User Configuration of the GPO in Step 3,

>> > > as a test, we tried to remove the "Run" command from the

>> > > Start Menu.

>>

>> > > 7. We ran gpupdate/force on the DC and on the XP

>> > > workstation. 8. We rebooted the workstation.

>>

>> > > 9. The configuration/restriction in Step 6 did not work.

>>

>> > > Why is this not working?

>>

>> > Because you configure a User setting in a GPO which is linked

>> > to an OU which contains a computer.

>>

>> > For this to work, you need either to use loopback processing

>> > of the GPO, or you need to configure the User setting in a

>> > GPO which is linked to the OU which contains the user

>> > account.

>>

>> > _________________________________________________________

>> > Vera Noest

>> > MCSE, CCEA, Microsoft MVP - Terminal Server

>> > TS troubleshooting:  http://ts.veranoest.net

>> > *----------- Please reply in newsgroup -------------*- Hide

>> > quoted text

> -

>>

>> > - Show quoted text -

>>

>> Ok we figured out that if we "User setting in a GPO which is

>> linked to the OU which contains the user account." it works.

>> But since we do not want to move the User accounts into their

>> own OU so we are trying "use loopback processing of the GPO"

>> for the 'TSClientPCs' OU that currently contains (1) XP Pro

>> workstation. For clarification, we have a couple questions:

>>

>> 1. For the GPO linked to the TSClientPCs OU, what should be

>> listed on the Security Tab? We have, with read/apply policy,

>> the following:                 System (Read, Write, Create,

>> Delete only)                 TS Users (Read, Apply) - member of

>> Remote

> Desktop

>> Users

>>                 XPP1 (Read/Apply)  - this is the worksta

> tion whose

>> local desktop we want to control for any TS User.

>>

>>                  Domain Admin (Deny)

>>

>>                 We removed the "Authenticated Users"

>>                  We checked "Block Policy Inheritance"

>>

>> Note: this structure of the Security Tab is identical to the

>> one we have for the GPO on the OU which contains the TS.

>>

>> Does this look correct? Do we need to implement any "Override

>> settings"?

>>

>> 2. When we make changes to this GPO, how do we force the

>> changes - on the DC or the workstation?

>>

>> Thanks again..- Hide quoted text -

>>

>> - Show quoted text -

>

> We just redid everything based on my last reply and Voila!

> --it's working for the local desktops!

>

> Thanks so much and we were able to answer Question #2 in the

> process..Your replies are very helpful...

 

OK, I'm glad that you've already figured it out and that it works

now. Well done!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 Share
Go to topic listing
×
×
  • Create New...