How to prevent computer settings from applying to Administrators when using loopback policy?

  • Thread starter Thread starter J. Jensen
  • Start date Start date
J

J. Jensen

Guest
How to prevent computer settings from applying to Administrators when using loopback policy?

Hi

I'm having some trouble with the admin account on Windows 2003 TS.
I don't want it to use an TS roaming profile, but don't know how to avoid
it, as it is set in Computer settings and therefore affecting all users.
Any ideas what to do?


Scenario:

2 terminal servers (none of them are DC's).
They are in their own OU "Terminal servers", and there are no other objects
in here.

There's ~10 GPO's linked to the "Terminal Servers" OU.
Two of them are affecting Computer Settings, and the rest are User settings.

Computer policy #1: Name = Loopback policy:
Only setting changed here is Loopback enabled, replace mode.
Scope -> Security Filtering: Only the two TS computer objects + the security
group containing the TS users added here.
Administrators are not member of this security group.

Computer policy #2: Name = TS users profile path <- THIS IS THE ONE CAUSING
THE PROBLEMS
Computer settings:
I have changed TS users profile path at
Local Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Terminal Services
Scope -> Security Filtering: Only the two TS computer objects + the security
group containing the TS users added here.
Administrators are not member of this security group.

User settings, policy #3 -> #10:
These are working perfectly.
I have put deny on all Domain Admins "apply group policy", so the Admins
aren't affected by these.
Scope -> Security Filtering: Only the two TS computer objects + the security
group containing the TS users added here.
Administrators are not member of this security group.

Regards

J. Jensen
 
Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

Computer policies apply to computers not users. Filtering based on
users is pointless since it applies to computers.

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

J. Jensen wrote:
> Hi
>
> I'm having some trouble with the admin account on Windows 2003 TS.
> I don't want it to use an TS roaming profile, but don't know how to avoid
> it, as it is set in Computer settings and therefore affecting all users.
> Any ideas what to do?
>
>
> Scenario:
>
> 2 terminal servers (none of them are DC's).
> They are in their own OU "Terminal servers", and there are no other objects
> in here.
>
> There's ~10 GPO's linked to the "Terminal Servers" OU.
> Two of them are affecting Computer Settings, and the rest are User settings.
>
> Computer policy #1: Name = Loopback policy:
> Only setting changed here is Loopback enabled, replace mode.
> Scope -> Security Filtering: Only the two TS computer objects + the security
> group containing the TS users added here.
> Administrators are not member of this security group.
>
> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE CAUSING
> THE PROBLEMS
> Computer settings:
> I have changed TS users profile path at
> Local Computer Policy/Computer Configuration/Administrative
> Templates/Windows Components/Terminal Services
> Scope -> Security Filtering: Only the two TS computer objects + the security
> group containing the TS users added here.
> Administrators are not member of this security group.
>
> User settings, policy #3 -> #10:
> These are working perfectly.
> I have put deny on all Domain Admins "apply group policy", so the Admins
> aren't affected by these.
> Scope -> Security Filtering: Only the two TS computer objects + the security
> group containing the TS users added here.
> Administrators are not member of this security group.
>
> Regards
>
> J. Jensen
>
>
 
Re: How to prevent computer settings from applying to Administrators when using loopback policy?

Re: How to prevent computer settings from applying to Administrators when using loopback policy?

Hi


"Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> skrev i en meddelelse
news:u%23NfxT4$HHA.4476@TK2MSFTNGP06.phx.gbl...
> Computer policies apply to computers not users. Filtering based on users
> is pointless since it applies to computers.
>
Yes I'm aware of this.
What do other admins do?
This must be a common issue when defining "TS users profile path " through
GPO.
I could of course set this individually on all users in AD but I would
prefer not to...




> Jeff Pitsch
> Microsoft MVP - Terminal Server
> Citrix Technology Professional
> Provision Networks VIP
>
> Forums not enough?
> Get support from the experts at your business
> http://jeffpitschconsulting.com
>
> J. Jensen wrote:
>> Hi
>>
>> I'm having some trouble with the admin account on Windows 2003 TS.
>> I don't want it to use an TS roaming profile, but don't know how to avoid
>> it, as it is set in Computer settings and therefore affecting all users.
>> Any ideas what to do?
>>
>>
>> Scenario:
>>
>> 2 terminal servers (none of them are DC's).
>> They are in their own OU "Terminal servers", and there are no other
>> objects in here.
>>
>> There's ~10 GPO's linked to the "Terminal Servers" OU.
>> Two of them are affecting Computer Settings, and the rest are User
>> settings.
>>
>> Computer policy #1: Name = Loopback policy:
>> Only setting changed here is Loopback enabled, replace mode.
>> Scope -> Security Filtering: Only the two TS computer objects + the
>> security group containing the TS users added here.
>> Administrators are not member of this security group.
>>
>> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE
>> CAUSING THE PROBLEMS
>> Computer settings:
>> I have changed TS users profile path at
>> Local Computer Policy/Computer Configuration/Administrative
>> Templates/Windows Components/Terminal Services
>> Scope -> Security Filtering: Only the two TS computer objects + the
>> security group containing the TS users added here.
>> Administrators are not member of this security group.
>>
>> User settings, policy #3 -> #10:
>> These are working perfectly.
>> I have put deny on all Domain Admins "apply group policy", so the Admins
>> aren't affected by these.
>> Scope -> Security Filtering: Only the two TS computer objects + the
>> security group containing the TS users added here.
>> Administrators are not member of this security group.
>>
>> Regards
>>
>> J. Jensen
 
Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

Re: How to prevent computer settings from applying to Administratorswhen using loopback policy?

It's a trade-off of convenience. I guess I don't really see a problem
though since administrators would want their settings following them too.

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

J. Jensen wrote:
> Hi
>
>
> "Jeff Pitsch" <Jeff@Jeffpitschconsulting.com> skrev i en meddelelse
> news:u%23NfxT4$HHA.4476@TK2MSFTNGP06.phx.gbl...
>> Computer policies apply to computers not users. Filtering based on users
>> is pointless since it applies to computers.
>>
> Yes I'm aware of this.
> What do other admins do?
> This must be a common issue when defining "TS users profile path " through
> GPO.
> I could of course set this individually on all users in AD but I would
> prefer not to...
>
>
>
>
>> Jeff Pitsch
>> Microsoft MVP - Terminal Server
>> Citrix Technology Professional
>> Provision Networks VIP
>>
>> Forums not enough?
>> Get support from the experts at your business
>> http://jeffpitschconsulting.com
>>
>> J. Jensen wrote:
>>> Hi
>>>
>>> I'm having some trouble with the admin account on Windows 2003 TS.
>>> I don't want it to use an TS roaming profile, but don't know how to avoid
>>> it, as it is set in Computer settings and therefore affecting all users.
>>> Any ideas what to do?
>>>
>>>
>>> Scenario:
>>>
>>> 2 terminal servers (none of them are DC's).
>>> They are in their own OU "Terminal servers", and there are no other
>>> objects in here.
>>>
>>> There's ~10 GPO's linked to the "Terminal Servers" OU.
>>> Two of them are affecting Computer Settings, and the rest are User
>>> settings.
>>>
>>> Computer policy #1: Name = Loopback policy:
>>> Only setting changed here is Loopback enabled, replace mode.
>>> Scope -> Security Filtering: Only the two TS computer objects + the
>>> security group containing the TS users added here.
>>> Administrators are not member of this security group.
>>>
>>> Computer policy #2: Name = TS users profile path <- THIS IS THE ONE
>>> CAUSING THE PROBLEMS
>>> Computer settings:
>>> I have changed TS users profile path at
>>> Local Computer Policy/Computer Configuration/Administrative
>>> Templates/Windows Components/Terminal Services
>>> Scope -> Security Filtering: Only the two TS computer objects + the
>>> security group containing the TS users added here.
>>> Administrators are not member of this security group.
>>>
>>> User settings, policy #3 -> #10:
>>> These are working perfectly.
>>> I have put deny on all Domain Admins "apply group policy", so the Admins
>>> aren't affected by these.
>>> Scope -> Security Filtering: Only the two TS computer objects + the
>>> security group containing the TS users added here.
>>> Administrators are not member of this security group.
>>>
>>> Regards
>>>
>>> J. Jensen
>
>
 
Back
Top