Creating a GPO for TS lockdown

  • Thread starter Thread starter Noncentz303
  • Start date Start date
N

Noncentz303

Guest
I created a test OU and added a GPO to lockdown TS. I added each TS to the OU
and also a test user was added to the group. But when I go to test my TS to
see if the changes I made are working it seems as though my GPO never worked
at all.

Does anyone have a link to a tuturial that can accurately help me create a
GPO for my TS so that all users sessions are the same

I was using:

http://technet2.microsoft.com/windo...0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true

Thanks Much
Antony
 
Re: Creating a GPO for TS lockdown

Hello Antony,

GPMC is a good tool from ms to help creating an resolve gpo issues :
http://www.microsoft.com/downloads/...FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887


"Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in message
news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...
>I created a test OU and added a GPO to lockdown TS. I added each TS to the
>OU
> and also a test user was added to the group. But when I go to test my TS
> to
> see if the changes I made are working it seems as though my GPO never
> worked
> at all.
>
> Does anyone have a link to a tuturial that can accurately help me create a
> GPO for my TS so that all users sessions are the same
>
> I was using:
>
> http://technet2.microsoft.com/windo...0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true
>
> Thanks Much
> Antony
 
Re: Creating a GPO for TS lockdown

Currently I am using GPMC to do my GPO, I like how it lays everything out for
you. Man that last post was insane sorry bout that.

I guess what im looking for is to see if my gpo is actually affecting the
server. Under my new GPO I added the Terminal Server and the user group I set
up. Then I added a user to that group to use as a test subject. but when I
log onto the server I do not see any changes as well as foler redirection.

I set up mandatory profiles for our users when logging on because im trying
to get it so that users cannot make changes to the TS but all be in the same
enviorment?

Noncentz

"leakim" wrote:

> Hello Antony,
>
> GPMC is a good tool from ms to help creating an resolve gpo issues :
> http://www.microsoft.com/downloads/...FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887
>
>
> "Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in message
> news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...
> >I created a test OU and added a GPO to lockdown TS. I added each TS to the
> >OU
> > and also a test user was added to the group. But when I go to test my TS
> > to
> > see if the changes I made are working it seems as though my GPO never
> > worked
> > at all.
> >
> > Does anyone have a link to a tuturial that can accurately help me create a
> > GPO for my TS so that all users sessions are the same
> >
> > I was using:
> >
> > http://technet2.microsoft.com/windo...0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true
> >
> > Thanks Much
> > Antony
>
>
>
 
Re: Creating a GPO for TS lockdown

You should *not* add any user accounts to the OU. You need to use
loopback processing of the GPO instead.

You can use the Resultant Set of Policies (RSoP) feature to check
which GPOs apply to a certain user when logging into your TS.

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHozMDM=?=
<Noncentz303@discussions.microsoft.com> wrote on 25 okt 2007 in
microsoft.public.windows.terminal_services:

> Currently I am using GPMC to do my GPO, I like how it lays
> everything out for you. Man that last post was insane sorry bout
> that.
>
> I guess what im looking for is to see if my gpo is actually
> affecting the server. Under my new GPO I added the Terminal
> Server and the user group I set up. Then I added a user to that
> group to use as a test subject. but when I log onto the server I
> do not see any changes as well as foler redirection.
>
> I set up mandatory profiles for our users when logging on
> because im trying to get it so that users cannot make changes to
> the TS but all be in the same enviorment?
>
> Noncentz
>
> "leakim" wrote:
>
>> Hello Antony,
>>
>> GPMC is a good tool from ms to help creating an resolve gpo
>> issues :
>> http://www.microsoft.com/downloads/details.aspx?displaylang=en&F
>> amilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887
>>
>>
>> "Noncentz303" <Noncentz303@discussions.microsoft.com> wrote in
>> message
>> news:6CAB3181-01BB-41BC-B658-3125CEF7EB4F@microsoft.com...
>> >I created a test OU and added a GPO to lockdown TS. I added
>> >each TS to the OU
>> > and also a test user was added to the group. But when I go to
>> > test my TS to
>> > see if the changes I made are working it seems as though my
>> > GPO never worked
>> > at all.
>> >
>> > Does anyone have a link to a tuturial that can accurately
>> > help me create a GPO for my TS so that all users sessions are
>> > the same
>> >
>> > I was using:
>> >
>> > http://technet2.microsoft.com/windowsserver/en/library/7b33dcd
>> > 6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true
>> >
>> > Thanks Much
>> > Antony
 
Re: Creating a GPO for TS lockdown

Vera,

Ok so I ran RSOP on my TS and I see the GPO I created and the TS is in the
right OU. But from the looks I have not applied it to the server correctly.
Cendrars has enlightened me to DACK config and applying the group policy so I
will read up on that.

I have removed the individual test user and added him to the group I setup.
Here are my RSOP results

Created On 10/25/2007 at 3:03:32 PM



RSOP data for MCCOYSALES\anolan on MCSVR03 : Logging Mode
----------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile: \\mcsvr03\AdminMandatory
Local Profile: C:\Documents and Settings\anolan
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=MCSVR03,OU=Terminal Servers,DC=mccoysales,DC=local
Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps
Domain Name: mccoysales
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Small Business Server Domain Password Policy
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

EnlightenUsers
Filtering: Not Applied (Empty)

Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2

The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Antony Nolan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps
Domain Name: MCCOYSALES
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2

Small Business Server Lockout Policy
Filtering: Disabled (GPO)

Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)

Small Business Server Client Computer
Filtering: Not Applied (Empty)

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)

EnlightenUsers
Filtering: Not Applied (Empty)

Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Offer Remote Assistance Helpers
Remote Desktop Users
BUILTIN\Users
BUILTIN\Administrators
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
SBS Mobile Users
Web Workplace Users
SBS Report Users
Prophet21_Users
Offer Remote Assistance Helpers
 
Re: Creating a GPO for TS lockdown

So what's the GPO you are trying to apply?
Assuming that it is the Small Business Server Lockout Policy, then
the computer settings are applied, but not the users settings, it
seems that they are disabled.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHozMDM=?=
<Noncentz303@discussions.microsoft.com> wrote on 25 okt 2007 in
microsoft.public.windows.terminal_services:

> Vera,
>
> Ok so I ran RSOP on my TS and I see the GPO I created and the TS
> is in the right OU. But from the looks I have not applied it to
> the server correctly. Cendrars has enlightened me to DACK config
> and applying the group policy so I will read up on that.
>
> I have removed the individual test user and added him to the
> group I setup. Here are my RSOP results
>
> Created On 10/25/2007 at 3:03:32 PM
>
>
>
> RSOP data for MCCOYSALES\anolan on MCSVR03 : Logging Mode
> ----------------------------------------------------------
>
> OS Type: Microsoft(R) Windows(R) Server
> 2003, Enterprise Edition
> OS Configuration: Member Server
> OS Version: 5.2.3790
> Terminal Server Mode: Application Server
> Site Name: Default-First-Site-Name
> Roaming Profile: \\mcsvr03\AdminMandatory
> Local Profile: C:\Documents and Settings\anolan
> Connected over a slow link?: No
>
>
> COMPUTER SETTINGS
> ------------------
> CN=MCSVR03,OU=Terminal Servers,DC=mccoysales,DC=local
> Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM
> Group Policy was applied from: mcsvr01.mccoysales.local
> Group Policy slow link threshold: 500 kbps
> Domain Name: mccoysales
> Domain Type: Windows 2000
>
> Applied Group Policy Objects
> -----------------------------
> Small Business Server Domain Password Policy
> Small Business Server Client Computer
> Small Business Server Remote Assistance Policy
> Small Business Server Lockout Policy
> Default Domain Policy
> Local Group Policy
>
> The following GPOs were not applied because they were
> filtered out
> -------------------------------------------------------------
> ------
> Small Business Server Internet Connection Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PreSP2
>
> Small Business Server - Windows Vista policy
> Filtering: Denied (WMI Filter)
> WMI Filter: Vista
>
> EnlightenUsers
> Filtering: Not Applied (Empty)
>
> Small Business Server Windows Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PostSP2
>
> The computer is a part of the following security groups
> -------------------------------------------------------
> BUILTIN\Administrators
> Everyone
> NT AUTHORITY\Authenticated Users
>
>
> USER SETTINGS
> --------------
> CN=Antony
> Nolan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=loc
> al Last time Group Policy was applied: 10/25/2007 at 2:28:35
> PM Group Policy was applied from:
> mcsvr01.mccoysales.local Group Policy slow link threshold:
> 500 kbps Domain Name: MCCOYSALES
> Domain Type: Windows 2000
>
> Applied Group Policy Objects
> -----------------------------
> Default Domain Policy
> Local Group Policy
>
> The following GPOs were not applied because they were
> filtered out
> -------------------------------------------------------------
> ------
> Small Business Server Internet Connection Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PreSP2
>
> Small Business Server Lockout Policy
> Filtering: Disabled (GPO)
>
> Small Business Server Remote Assistance Policy
> Filtering: Disabled (GPO)
>
> Small Business Server Client Computer
> Filtering: Not Applied (Empty)
>
> Small Business Server - Windows Vista policy
> Filtering: Denied (WMI Filter)
> WMI Filter: Vista
>
> Small Business Server Domain Password Policy
> Filtering: Not Applied (Empty)
>
> EnlightenUsers
> Filtering: Not Applied (Empty)
>
> Small Business Server Windows Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PostSP2
>
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> Offer Remote Assistance Helpers
> Remote Desktop Users
> BUILTIN\Users
> BUILTIN\Administrators
> REMOTE INTERACTIVE LOGON
> NT AUTHORITY\INTERACTIVE
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> Domain Admins
> SBS Mobile Users
> Web Workplace Users
> SBS Report Users
> Prophet21_Users
> Offer Remote Assistance Helpers
>
 

Similar threads

S
Windows 10 Issue creating desktop shortcut thru GPO (AD, Windows 10 workstations)
Replies
0
Views
243
SteveBinReno
S
C
(TS) Property 'X' does not exist on Type 'Y' when moved from index.cshtml to a TS file
Replies
0
Views
203
Cincy Steve
C
P
How do I set AutoEnrollment properties for a GPO from a C# application
Replies
0
Views
108
PippiLongstocking
P
K
Windows 10 GPO System/User Profiles Delete user profiles older than a specified number of days on system restart - malfunctioning
Replies
0
Views
199
KJSTech1
K
J
Everything coming and going on Netflix for the week of November 8th
Replies
0
Views
87
Jacob Siegal
J
Back
Top