Re: Setting Group Policy to apply only to the terminal server
Step by step directions on how to configure this are are here:
Best Practice for applying Settings to Users only when they log on to
Terminal Servers would be to:
Create an OU to contain a set of Terminal Servers
Block Policy Inheritance on the OU (Properties -> Group Policy). This
prevents settings from higher-up in AD from affecting your Terminal Servers.
Move the Terminal Server Computer Objects into the OU. Do NOT place User
Accounts in this OU.
Create an Active Directory Security Group called “Terminal Servers” (or
something similar that you’ll recognize) and add the Terminal Servers from
this OU to this group.
Create a GPO called “TS Machine Policy” linked to the OU
Check “Disable User Configuration settings” on the GPO
Enable Loopback Policy Processing in the GPO
Edit the Security of the Policy so Apply Policy is set for “Authenticated
Users” and the Security Group containing the Terminal Servers
Create additional GPOs linked to this OU for each user population, i.e. “TS
Users”, “TS Administrators”.
Check “Disable Computer Configuration settings” on these GPO
Edit the Security on these User Configuration GPOs so Apply Policy is
enabled for the target user population, and Deny Apply Policy is enabled for
user to which the policy should not apply.
With GPOs configured this way the Machine Policy applies to everyone that
logs on to the Terminal Server (only the Computer Configuration Settings of
the Machine Policy are processed) in addition to the appropriate User
Configuration GPO (only the User Configuration portion of the GPO is
processed) for the target user population.
--
Patrick C. Rouse
Microsoft MVP - Terminal Server
SE, Western USA & Canada
Quest Software, Provision Networks Division
http://www.provisionnetworks.com
"Vera Noest [MVP]" wrote:
> Graffiti Knight <jordanstacy@gmail.com> wrote on 30 jan 2008 in
> microsoft.public.windows.terminal_services:
>
> > On Jan 29, 4:23 am, moncho <mon...@NOspmanywhere.com> wrote:
> >> Graffiti Knight wrote:
> >> > We have a number of group policy restrictions for our
> >> > terminal server, however they all fall under User
> >> > Configuration (folder redirection, Control Panel access, and
> >> > hiding drives in My Computer). To apply these settings we
> >> > have a OU for our employees' computers to use loopback
> >> > processing and an OU for the employees' user accounts.
> >>
> >> > The problem is that whenever a user logs onto a computer that
> >> > is not the terminal server (TS), if they aren't moved out of
> >> > the OU then they policy restrictions get applied to their
> >> > profile and we have to wipe it and start over. For computer
> >> > rebuilds this becomes a hassle as we have to remove them,
> >> > create the profile on their new machine, and then move them
> >> > back. Is there a way to apply these User Configuration
> >> > settings only on the Terminal Server, and not have to do all
> >> > of this moving around?
> >>
> >> > Thanks for any suggestions.
> >>
> >> What you want to do is put the TS servers in their own OU and
> >> use loopback processing.
> >>
> >> When you do this, any policies you create in the TS OU
> >> will only affect the users desktop in TS and not their
> >> individual desktop.
> >>
> >> moncho
> >
> > The terminal servers are in their own OU. I have an OU for the
> > terminal servers, an OU for TS user's, and an OU for TS user's
> > computers. None are within each other; they are all under the
> > Domain OU.
>
> And have you linked the restrictive GPO to the OU which contains
> the Terminal Servers?
> If so, check if all GPOs are applied as you expect them to be by
> running RSoP (Resultant Set of Policies).
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>