GP/OU Question

  • Thread starter Thread starter porbarfarms@gmail.com
  • Start date Start date
P

porbarfarms@gmail.com

Guest
We have a Windows 2003 DC that is also running TS -we know, not
recommended. We know that when you have TS as member server, you setup
a new OU and move the TS into it. Then create/link a GP to it...

This is probably a stupid question, but we are needing reassurance in
our particular setup that this step of creating a new OU and linking a
GP to it is not necessary since we would be moving the DC out of its
OU and into another -does not sound like a good idea or necessary in
our case?

Hence, it looks like we will just be modifying the Default GP for the
Remote users connecting to the DC/TS?

Thanks in advance!
 
Re: GP/OU Question

I would certainly *not* move the DC to another OU, that could break
other things in the domain.

I would *not* modify the Default Domain or Default Domain
Controller GPO either. Rather, create a new GPO and link it to the
Domain Controller OU, and put it above the existing GPOs linked to
that OU, thereby overriding the other GPOs.
That way, you will have an easy way to undo your changes in case
anything goes completely wrong, by simply removing the GPO link.

Be sure to test every setting thoroughly, because this is one of
the reasons that it is not recommended running TS on a DC.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

porbarfarms@gmail.com wrote on 18 jan 2008 in
microsoft.public.windows.terminal_services:

> We have a Windows 2003 DC that is also running TS -we know, not
> recommended. We know that when you have TS as member server, you
> setup a new OU and move the TS into it. Then create/link a GP to
> it...
>
> This is probably a stupid question, but we are needing
> reassurance in our particular setup that this step of creating a
> new OU and linking a GP to it is not necessary since we would be
> moving the DC out of its OU and into another -does not sound
> like a good idea or necessary in our case?
>
> Hence, it looks like we will just be modifying the Default GP
> for the Remote users connecting to the DC/TS?
>
> Thanks in advance!
 
Re: GP/OU Question

On Jan 18, 3:21 pm, "Vera Noest [MVP]" <vera.no...@remove-
this.hem.utfors.se> wrote:
> I would certainly *not* move the DC to another OU, that could break
> other things in the domain.
>
> I would *not* modify the Default Domain or Default Domain
> Controller GPO either. Rather, create a new GPO and link it to the
> Domain Controller OU, and put it above the existing GPOs linked to
> that OU, thereby overriding the other GPOs.
> That way, you will have an easy way to undo your changes in case
> anything goes completely wrong, by simply removing the GPO link.
>
> Be sure to test every setting thoroughly, because this is one of
> the reasons that it is not recommended running TS on a DC.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting:  http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> porbarfa...@gmail.com wrote on 18 jan 2008 in
> microsoft.public.windows.terminal_services:
>
>
>
> > We have a Windows 2003 DC that is also running TS -we know, not
> > recommended. We know that when you have TS as member server, you
> > setup a new OU and move the TS into it. Then create/link a GP to
> > it...
>
> > This is probably a stupid question, but we are needing
> > reassurance in our particular setup that this step of creating a
> > new OU and linking a GP to it is not necessary since we would be
> > moving the DC out of its OU and into another -does not sound
> > like a good idea or necessary in our case?
>
> > Hence, it looks like we will just be modifying the Default GP
> > for the Remote users connecting to the DC/TS?
>
> > Thanks in advance!- Hide quoted text -
>
> - Show quoted text -

Thank you for replying. We are working with a customer that already
has TS installed on their DC and we are trying to help them with their
remote setup. They already have separate OUs created for User
departments, such as Finance, Sales, etc and have GPOs linked to these
OUs where they control local resources, Internet use, etc for these
users.

They will have some local users at the main office connecting to the
TS, with or without using thin-clients, and these users are members of
their respective OUs and Remote USes group. We are in the test lab
now, trying to mimic this setup, and now incorporate the remote users
(who will be using thin-clients). So, in the test lab, we have added
another OU -called remUsers- and created a new GP -called remGPO- and
plan to edit the User Configuration settings to control, for instance,
what icons the remote users see on the TS desktop, and to make
available to them a folder that we have already created on a certain
shared partition on the TS.

This plan seems different than what you advised, however we realize
you did not have this much info in making your response. We will:

1. Add the remote user (working in satellite office on a thin-client)
to AD and make member of RDesktop users.
2. Create an OU called remUsers. Create GP and link to OU.
3. Move necessary users into the OU.
4. Edit the GP created in Step 2 for controlling users' environment.

Will our method work and/or do you see any flaws?
 
Re: GP/OU Question

porbarfarms@gmail.com wrote on 21 jan 2008 in
microsoft.public.windows.terminal_services:

> On Jan 18, 3:21 pm, "Vera Noest [MVP]" <vera.no...@remove-
> this.hem.utfors.se> wrote:
>> I would certainly *not* move the DC to another OU, that could
>> break other things in the domain.
>>
>> I would *not* modify the Default Domain or Default Domain
>> Controller GPO either. Rather, create a new GPO and link it to
>> the Domain Controller OU, and put it above the existing GPOs
>> linked to that OU, thereby overriding the other GPOs.
>> That way, you will have an easy way to undo your changes in
>> case anything goes completely wrong, by simply removing the GPO
>> link.
>>
>> Be sure to test every setting thoroughly, because this is one
>> of the reasons that it is not recommended running TS on a DC.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting:  http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> porbarfa...@gmail.com wrote on 18 jan 2008 in
>> microsoft.public.windows.terminal_services:
>>
>>
>>
>> > We have a Windows 2003 DC that is also running TS -we know,
>> > not recommended. We know that when you have TS as member
>> > server, you setup a new OU and move the TS into it. Then
>> > create/link a GP to it...
>>
>> > This is probably a stupid question, but we are needing
>> > reassurance in our particular setup that this step of
>> > creating a new OU and linking a GP to it is not necessary
>> > since we would be moving the DC out of its OU and into
>> > another -does not sound like a good idea or necessary in our
>> > case?
>>
>> > Hence, it looks like we will just be modifying the Default GP
>> > for the Remote users connecting to the DC/TS?
>>
>> > Thanks in advance!- Hide quoted text -
>>
>> - Show quoted text -
>
> Thank you for replying. We are working with a customer that
> already has TS installed on their DC and we are trying to help
> them with their remote setup. They already have separate OUs
> created for User departments, such as Finance, Sales, etc and
> have GPOs linked to these OUs where they control local
> resources, Internet use, etc for these users.
>
> They will have some local users at the main office connecting to
> the TS, with or without using thin-clients, and these users are
> members of their respective OUs and Remote USes group. We are in
> the test lab now, trying to mimic this setup, and now
> incorporate the remote users (who will be using thin-clients).
> So, in the test lab, we have added another OU -called remUsers-
> and created a new GP -called remGPO- and plan to edit the User
> Configuration settings to control, for instance, what icons the
> remote users see on the TS desktop, and to make available to
> them a folder that we have already created on a certain shared
> partition on the TS.
>
> This plan seems different than what you advised, however we
> realize you did not have this much info in making your response.
> We will:
>
> 1. Add the remote user (working in satellite office on a
> thin-client) to AD and make member of RDesktop users.
> 2. Create an OU called remUsers. Create GP and link to OU.
> 3. Move necessary users into the OU.
> 4. Edit the GP created in Step 2 for controlling users'
> environment.
>
> Will our method work and/or do you see any flaws?

Linking the GPO to the OU which contains the user accounts (in
stead of the standard method of linking it to the OU which contains
the TS machine account and using loopback processing) will work for
users who *only* log on through a thin client.
But as soon as a user account is also used to logon to a normal
"fat" client, the GPO will be applied to the user as well and most
likely cause error messages and unwanted effects.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 

Similar threads

C
‘Avengers 5’ cast is a secret, but we might know the team’s next leader
Replies
0
Views
89
Chris Smith
C
A
Russian hackers are getting even more brazen in the US
Replies
0
Views
83
Andy Meek
A
J
YouTube TV might lose 14 channels over a contract dispute
Replies
0
Views
85
Jacob Siegal
J
Z
Here are all the most exciting new iPhone 13 features Apple announced
Replies
0
Views
88
Zach Epstein
Z
J
PS5 and Xbox Series X restock may hit Best Buy stores this week
Replies
0
Views
84
Jacob Siegal
J
Back
Top