GP/OU Problem/Question

  • Thread starter Thread starter compsosinc@gmail.com
  • Start date Start date
C

compsosinc@gmail.com

Guest
In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
DC and a separate Windows 2003 member server as the TS. I am having a
problem getting any Group Policy changes to take effect for an XP Pro
client that logs into the TS --using what I thought was the proper
method of setting this up. Here are my notes on what I have done so
far:

1. Create OU & GPO for the TS:
a. In AD of DC, create an OU called: 'Terminal Servers'
b. Move TS machine into this OU.
c. Right click 'Terminal Servers' OU, and go to properties. Click on
GP tab
d. Click 'New' and name GP (ex, TS Users GP)

2. Create TestUser(s) in AD:

a. Create username/password (ex., TestUser1)
b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
Users
- If creating a separate Security Group for 'TS Users', do not make
user member of RDU. Make the Security group (Step 3) member of RDU.

3. Create Security Group for TS Users & TS desktop

a. Create a new Security group called 'TS Users' in AD.
b. Ensure the 'TS Users' group is a member of RDU group.
c. Populate the 'TS Users' group with the user account(s) --her, the
Testuser1 account
d. Test login to the TS with a user account = ok

4. Edit GPO & Setup Edit for test:

a. In the User Configuration of the GPO, enabled "Remove My COmputer'
icon from Start menu
b. Enabled loopback processing
c. On the Security Tab of the GP, added the TS Machine and the 'TS
Users' Security group with Read & Apply settings
b. Gpupdate/force on DC


Problem:

The edit to the GP does not work...the 'My Computer icon remian when I
login into the TS from the XPP client. I had begun with Folder
redirection and it wasn't working so I tried something simpler..

Resolution?

Based on what I read in a NG posting, I moved my 'Testuser1' user
account into the OU with the TS machine and the GP works!
Everything (most anyway) I researched prior to this setup indicated to
not put the user accounts into the new OU. If I move the Security
Group I created into the OU (of which TestUser1 is a member of) the GP
does not work...

What is the correct way to apply a GP to a group of Users, such as the
group 'TS Users'?
PS I also read article "Understanding Group Policy in a TS
Environment" in which two GPO are linked to thenew OU -one for the
machine & one for the user configuration. Is this a better method?

Confused!
 
Re: GP/OU Problem/Question

Mm, this should work, and you should not need to put the user
account in the TerminalServers OU.
Run gpupdate /force on the TS (although I don't think it will help,
it should have been updated by now). But when you make a change to
the GPO, you have to run gpupdate on the TS, not on the DC.

To troubleshoot, run Resultant Set of Policies with the testuser
account and the TS, to check which policies are applied, and in
which order.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

compsosinc@gmail.com wrote on 15 feb 2008:

> In a VirtualPC setup (test lab), I am using Windows 2003 Server
> as a DC and a separate Windows 2003 member server as the TS. I
> am having a problem getting any Group Policy changes to take
> effect for an XP Pro client that logs into the TS --using what I
> thought was the proper method of setting this up. Here are my
> notes on what I have done so far:
>
> 1. Create OU & GPO for the TS:
> a. In AD of DC, create an OU called: 'Terminal Servers'
> b. Move TS machine into this OU.
> c. Right click 'Terminal Servers' OU, and go to properties.
> Click on GP tab
> d. Click 'New' and name GP (ex, TS Users GP)
>
> 2. Create TestUser(s) in AD:
>
> a. Create username/password (ex., TestUser1)
> b. Ensure that TestUser1 is a member of Domain Users &
> Remote Desktop Users
> - If creating a separate Security Group for 'TS Users', do not
> make user member of RDU. Make the Security group (Step 3) member
> of RDU.
>
> 3. Create Security Group for TS Users & TS desktop
>
> a. Create a new Security group called 'TS Users' in AD.
> b. Ensure the 'TS Users' group is a member of RDU group.
> c. Populate the 'TS Users' group with the user account(s)
> --her, the Testuser1 account
> d. Test login to the TS with a user account = ok
>
> 4. Edit GPO & Setup Edit for test:
>
> a. In the User Configuration of the GPO, enabled "Remove My
> COmputer' icon from Start menu
> b. Enabled loopback processing
> c. On the Security Tab of the GP, added the TS Machine and the
> 'TS Users' Security group with Read & Apply settings
> b. Gpupdate/force on DC
>
>
> Problem:
>
> The edit to the GP does not work...the 'My Computer icon remian
> when I login into the TS from the XPP client. I had begun with
> Folder redirection and it wasn't working so I tried something
> simpler..
>
> Resolution?
>
> Based on what I read in a NG posting, I moved my 'Testuser1'
> user account into the OU with the TS machine and the GP works!
> Everything (most anyway) I researched prior to this setup
> indicated to not put the user accounts into the new OU. If I
> move the Security Group I created into the OU (of which
> TestUser1 is a member of) the GP does not work...
>
> What is the correct way to apply a GP to a group of Users, such
> as the group 'TS Users'?
> PS I also read article "Understanding Group Policy in a TS
> Environment" in which two GPO are linked to thenew OU -one for
> the machine & one for the user configuration. Is this a better
> method?
>
> Confused!
 
Re: GP/OU Problem/Question

compsosinc@gmail.com wrote:
> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
> DC and a separate Windows 2003 member server as the TS. I am having a
> problem getting any Group Policy changes to take effect for an XP Pro
> client that logs into the TS --using what I thought was the proper
> method of setting this up. Here are my notes on what I have done so
> far:
>
> 1. Create OU & GPO for the TS:
> a. In AD of DC, create an OU called: 'Terminal Servers'
> b. Move TS machine into this OU.
> c. Right click 'Terminal Servers' OU, and go to properties. Click on
> GP tab
> d. Click 'New' and name GP (ex, TS Users GP)
>
> 2. Create TestUser(s) in AD:
>
> a. Create username/password (ex., TestUser1)
> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
> Users
> - If creating a separate Security Group for 'TS Users', do not make
> user member of RDU. Make the Security group (Step 3) member of RDU.
>
> 3. Create Security Group for TS Users & TS desktop
>
> a. Create a new Security group called 'TS Users' in AD.
> b. Ensure the 'TS Users' group is a member of RDU group.

Make sure you add 'TS Users' group to the local 2003 TS server
RDU group.

> c. Populate the 'TS Users' group with the user account(s) --her, the
> Testuser1 account
> d. Test login to the TS with a user account = ok
>
> 4. Edit GPO & Setup Edit for test:
>
> a. In the User Configuration of the GPO, enabled "Remove My COmputer'
> icon from Start menu
> b. Enabled loopback processing
I have found it easier and more reliable to put the loopback processing
in the Computer Configuration section of its own GPO in the
Terminal Servers OU. Also, you may want to set it to "replace"
mode.

Create a UserConfig GPO in the Terminal Server OU and with only your
security group.

> c. On the Security Tab of the GP, added the TS Machine and the 'TS
> Users' Security group with Read & Apply settings
You will want to remove the Authenticated Users group also.

> b. Gpupdate/force on DC
>
>
> Problem:
>
> The edit to the GP does not work...the 'My Computer icon remian when I
> login into the TS from the XPP client. I had begun with Folder
> redirection and it wasn't working so I tried something simpler..
>
> Resolution?
>
> Based on what I read in a NG posting, I moved my 'Testuser1' user
> account into the OU with the TS machine and the GP works!
> Everything (most anyway) I researched prior to this setup indicated to
> not put the user accounts into the new OU. If I move the Security
> Group I created into the OU (of which TestUser1 is a member of) the GP
> does not work...

You do not want to put users in the Terminal Servers OU. This OU
should be for TS servers only, not users.

>
> What is the correct way to apply a GP to a group of Users, such as the
> group 'TS Users'?
> PS I also read article "Understanding Group Policy in a TS
> Environment" in which two GPO are linked to thenew OU -one for the
> machine & one for the user configuration. Is this a better method?

I like to do it this way myself. It helps to keep things simplified.
At least for me.

Basic setup will be:

OU for TS servers
ComputerConfig GPO for TS Servers with Loopback processing set to
replace mode in the Computer Section of the GPO.
UserConfig GPO - remove Authenticated Users, add TS Users group.
- Set all the settings you like in the User section of the GPO
- Start small and add more later.
Add TS Users group to local TS server RDU group.
You should be good to go.

You may want to check http://www.sessioncomputing.com/how-to.htm
also. Loads of info here.

moncho
 
Re: GP/OU Problem/Question

On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
> compsos...@gmail.com wrote:
> > In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
> > DC and a separate Windows 2003 member server as the TS. I am having a
> > problem getting any Group Policy changes to take effect for an XP Pro
> > client that logs into the TS --using what I thought was the proper
> > method of setting this up. Here are my notes on what I have done so
> > far:
>
> > 1. Create OU & GPO for the TS:
> > a. In AD of DC, create an OU called: 'Terminal Servers'
> > b. Move TS machine into this OU.
> > c. Right click 'Terminal Servers' OU, and go to properties. Click on
> > GP tab
> > d. Click 'New' and name GP (ex, TS Users GP)
>
> > 2. Create TestUser(s) in AD:
>
> > a. Create username/password (ex., TestUser1)
> > b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
> > Users
> > -   If creating a separate Security Group for 'TS Users', do not make
> > user member of RDU. Make the Security group (Step 3) member of RDU.
>
> > 3. Create Security Group for TS Users & TS desktop
>
> > a. Create a new Security group called 'TS Users' in AD.
> > b. Ensure the 'TS Users' group is a member of RDU group.
>
> Make sure you add 'TS Users' group to the local 2003 TS server
> RDU group.
>
> > c. Populate the 'TS Users' group with the user account(s) --her, the
> > Testuser1 account
> > d. Test login to the TS with a user account = ok
>
> > 4. Edit GPO & Setup Edit for test:
>
> > a.  In the User Configuration of the GPO, enabled "Remove My COmputer'
> > icon from Start menu
> > b.  Enabled loopback processing
>
> I have found it easier and more reliable to put the loopback processing
> in the Computer Configuration section of its own GPO in the
> Terminal Servers OU.  Also, you may want to set it to "replace"
> mode.
>
> Create a UserConfig GPO in the Terminal Server OU and with only your
> security group.
>
> > c.  On the Security Tab of the GP, added the TS Machine and the 'TS
> > Users' Security group with Read & Apply settings
>
> You will want to remove the Authenticated Users group also.
>
>
>
>
>
> > b.  Gpupdate/force on DC
>
> > Problem:
>
> > The edit to the GP does not work...the 'My Computer icon remian when I
> > login into the TS from the XPP client. I had begun with Folder
> > redirection and it wasn't working so I tried something simpler..
>
> > Resolution?
>
> > Based on what I read in a NG posting, I moved my 'Testuser1' user
> > account into the OU with the TS machine and the GP works!
> > Everything (most anyway) I researched prior to this setup indicated to
> > not put the user accounts into the new OU. If I move the Security
> > Group I created into the OU (of which TestUser1 is a member of) the GP
> > does not work...
>
> You do not want to put users in the Terminal Servers OU.  This OU
> should be for TS servers only, not users.
>
>
>
> > What is the correct way to apply a GP to a group of Users, such as the
> > group 'TS Users'?
> > PS I also read article "Understanding Group Policy in a TS
> > Environment" in which  two GPO are linked to thenew OU -one for the
> > machine & one for the user configuration. Is this a better method?
>
> I like to do it this way myself.  It helps to keep things simplified.
> At least for me.
>
> Basic setup will be:
>
> OU for TS servers
> ComputerConfig GPO for TS Servers with Loopback processing set to
> replace mode in the Computer Section of the GPO.
> UserConfig GPO - remove Authenticated Users, add TS Users group.
>   - Set all the settings you like in the User section of the GPO
>   - Start small and add more later.
> Add TS Users group to local TS server RDU group.
> You should be good to go.
>
> You may want to checkhttp://www.sessioncomputing.com/how-to.htm
> also.  Loads of info here.
>
> moncho- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Thank you both very much for replying. I have the GP working and here
are the things I did to make it work. I just do not know what fixed it
(made more than one thing or all did):

1. On the GP of the TS OU, I removed Authenticated users from the
Security tab (Filtering). I ensured that the TS machine and the 'TS
Users' group was listed and had Read/Apply rights.
2. On the GP, checked 'Block Policy Inheritence' -- I read this in
another article but do not see it mentioned often so had originally
not done this.
3. Made the 'TS Users' group a member of the Local Remote Desktop
Users on the TS.
4. Ran gpupdate/force on the TS, not the DC. Did not know this...and
not sure I understand why this is done on the TS when the DC has
Active Directory.

Question(s):

1. Vera, you mention running 'Resultant Set of Policies'. How is that
done specifically -either for a Security group or an individual User?
I should know how to do this for future troubleshooting...I have read
that you need the Resource Kit to do this?

2. With regards to setting up separate GPOs, one for the Computer
Configuration and one for the Users, what is considered best practice?

Thanks again...
 
Re: GP/OU Problem/Question

compsosinc@gmail.com wrote:
> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
>> compsos...@gmail.com wrote:
>>> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
>>> DC and a separate Windows 2003 member server as the TS. I am having a
>>> problem getting any Group Policy changes to take effect for an XP Pro
>>> client that logs into the TS --using what I thought was the proper
>>> method of setting this up. Here are my notes on what I have done so
>>> far:
>>> 1. Create OU & GPO for the TS:
>>> a. In AD of DC, create an OU called: 'Terminal Servers'
>>> b. Move TS machine into this OU.
>>> c. Right click 'Terminal Servers' OU, and go to properties. Click on
>>> GP tab
>>> d. Click 'New' and name GP (ex, TS Users GP)
>>> 2. Create TestUser(s) in AD:
>>> a. Create username/password (ex., TestUser1)
>>> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
>>> Users
>>> - If creating a separate Security Group for 'TS Users', do not make
>>> user member of RDU. Make the Security group (Step 3) member of RDU.
>>> 3. Create Security Group for TS Users & TS desktop
>>> a. Create a new Security group called 'TS Users' in AD.
>>> b. Ensure the 'TS Users' group is a member of RDU group.
>> Make sure you add 'TS Users' group to the local 2003 TS server
>> RDU group.
>>
>>> c. Populate the 'TS Users' group with the user account(s) --her, the
>>> Testuser1 account
>>> d. Test login to the TS with a user account = ok
>>> 4. Edit GPO & Setup Edit for test:
>>> a. In the User Configuration of the GPO, enabled "Remove My COmputer'
>>> icon from Start menu
>>> b. Enabled loopback processing
>> I have found it easier and more reliable to put the loopback processing
>> in the Computer Configuration section of its own GPO in the
>> Terminal Servers OU. Also, you may want to set it to "replace"
>> mode.
>>
>> Create a UserConfig GPO in the Terminal Server OU and with only your
>> security group.
>>
>>> c. On the Security Tab of the GP, added the TS Machine and the 'TS
>>> Users' Security group with Read & Apply settings
>> You will want to remove the Authenticated Users group also.
>>
>>
>>
>>
>>
>>> b. Gpupdate/force on DC
>>> Problem:
>>> The edit to the GP does not work...the 'My Computer icon remian when I
>>> login into the TS from the XPP client. I had begun with Folder
>>> redirection and it wasn't working so I tried something simpler..
>>> Resolution?
>>> Based on what I read in a NG posting, I moved my 'Testuser1' user
>>> account into the OU with the TS machine and the GP works!
>>> Everything (most anyway) I researched prior to this setup indicated to
>>> not put the user accounts into the new OU. If I move the Security
>>> Group I created into the OU (of which TestUser1 is a member of) the GP
>>> does not work...
>> You do not want to put users in the Terminal Servers OU. This OU
>> should be for TS servers only, not users.
>>
>>
>>
>>> What is the correct way to apply a GP to a group of Users, such as the
>>> group 'TS Users'?
>>> PS I also read article "Understanding Group Policy in a TS
>>> Environment" in which two GPO are linked to thenew OU -one for the
>>> machine & one for the user configuration. Is this a better method?
>> I like to do it this way myself. It helps to keep things simplified.
>> At least for me.
>>
>> Basic setup will be:
>>
>> OU for TS servers
>> ComputerConfig GPO for TS Servers with Loopback processing set to
>> replace mode in the Computer Section of the GPO.
>> UserConfig GPO - remove Authenticated Users, add TS Users group.
>> - Set all the settings you like in the User section of the GPO
>> - Start small and add more later.
>> Add TS Users group to local TS server RDU group.
>> You should be good to go.
>>
>> You may want to checkhttp://www.sessioncomputing.com/how-to.htm
>> also. Loads of info here.
>>
>> moncho- Hide quoted text -
>>
>> - Show quoted text -- Hide quoted text -
>>
>> - Show quoted text -
>
> Thank you both very much for replying. I have the GP working and here
> are the things I did to make it work. I just do not know what fixed it
> (made more than one thing or all did):
>
> 1. On the GP of the TS OU, I removed Authenticated users from the
> Security tab (Filtering). I ensured that the TS machine and the 'TS
> Users' group was listed and had Read/Apply rights.
This is to stop the GP from applying to a user in the Administrator
group. You do not want all the restrictions on the admin.

> 2. On the GP, checked 'Block Policy Inheritence' -- I read this in
> another article but do not see it mentioned often so had originally
> not done this.
> 3. Made the 'TS Users' group a member of the Local Remote Desktop
> Users on the TS.
> 4. Ran gpupdate/force on the TS, not the DC. Did not know this...and
> not sure I understand why this is done on the TS when the DC has
> Active Directory.

You run gpudate /force on the system that you want to update (i.e. TS
server or desktop). It "grabs" the new policy "from" A/D.

>
> Question(s):
>
> 1. Vera, you mention running 'Resultant Set of Policies'. How is that
> done specifically -either for a Security group or an individual User?
> I should know how to do this for future troubleshooting...I have read
> that you need the Resource Kit to do this?

You will do this on a machine or individual user. I can be done from
within the GPMC.

Right Click on Group Policy Results -> Group Policy Results Wizard.

If you have Windows Firewall enable on the machine you are
trying to get the results from, it may block the Wizard. I do not know
what ports to open for this to work correctly. Maybe Vera knows.

>
> 2. With regards to setting up separate GPOs, one for the Computer
> Configuration and one for the Users, what is considered best practice?

Like I mentioned earlier, I think creating two OU's is better. By
keeping the Computer Config GPO with loopback processing separate, it is
easier on other admins (IMHO). I believe this should be a best
practice if it is not already. To me, loopback processing is
a "big time" change and should be in its own GPO. Especially for
troubleshooting purposes.

moncho
 
Re: GP/OU Problem/Question

On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:
> compsos...@gmail.com wrote:
> > On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
> >> compsos...@gmail.com wrote:
> >>> In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
> >>> DC and a separate Windows 2003 member server as the TS. I am having a
> >>> problem getting any Group Policy changes to take effect for an XP Pro
> >>> client that logs into the TS --using what I thought was the proper
> >>> method of setting this up. Here are my notes on what I have done so
> >>> far:
> >>> 1. Create OU & GPO for the TS:
> >>> a. In AD of DC, create an OU called: 'Terminal Servers'
> >>> b. Move TS machine into this OU.
> >>> c. Right click 'Terminal Servers' OU, and go to properties. Click on
> >>> GP tab
> >>> d. Click 'New' and name GP (ex, TS Users GP)
> >>> 2. Create TestUser(s) in AD:
> >>> a. Create username/password (ex., TestUser1)
> >>> b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
> >>> Users
> >>> -   If creating a separate Security Group for 'TS Users', do not make
> >>> user member of RDU. Make the Security group (Step 3) member of RDU.
> >>> 3. Create Security Group for TS Users & TS desktop
> >>> a. Create a new Security group called 'TS Users' in AD.
> >>> b. Ensure the 'TS Users' group is a member of RDU group.
> >> Make sure you add 'TS Users' group to the local 2003 TS server
> >> RDU group.
>
> >>> c. Populate the 'TS Users' group with the user account(s) --her, the
> >>> Testuser1 account
> >>> d. Test login to the TS with a user account = ok
> >>> 4. Edit GPO & Setup Edit for test:
> >>> a.  In the User Configuration of the GPO, enabled "Remove My COmputer'
> >>> icon from Start menu
> >>> b.  Enabled loopback processing
> >> I have found it easier and more reliable to put the loopback processing
> >> in the Computer Configuration section of its own GPO in the
> >> Terminal Servers OU.  Also, you may want to set it to "replace"
> >> mode.
>
> >> Create a UserConfig GPO in the Terminal Server OU and with only your
> >> security group.
>
> >>> c.  On the Security Tab of the GP, added the TS Machine and the 'TS
> >>> Users' Security group with Read & Apply settings
> >> You will want to remove the Authenticated Users group also.
>
> >>> b.  Gpupdate/force on DC
> >>> Problem:
> >>> The edit to the GP does not work...the 'My Computer icon remian when I
> >>> login into the TS from the XPP client. I had begun with Folder
> >>> redirection and it wasn't working so I tried something simpler..
> >>> Resolution?
> >>> Based on what I read in a NG posting, I moved my 'Testuser1' user
> >>> account into the OU with the TS machine and the GP works!
> >>> Everything (most anyway) I researched prior to this setup indicated to
> >>> not put the user accounts into the new OU. If I move the Security
> >>> Group I created into the OU (of which TestUser1 is a member of) the GP
> >>> does not work...
> >> You do not want to put users in the Terminal Servers OU.  This OU
> >> should be for TS servers only, not users.
>
> >>> What is the correct way to apply a GP to a group of Users, such as the
> >>> group 'TS Users'?
> >>> PS I also read article "Understanding Group Policy in a TS
> >>> Environment" in which  two GPO are linked to thenew OU -one for the
> >>> machine & one for the user configuration. Is this a better method?
> >> I like to do it this way myself.  It helps to keep things simplified.
> >> At least for me.
>
> >> Basic setup will be:
>
> >> OU for TS servers
> >> ComputerConfig GPO for TS Servers with Loopback processing set to
> >> replace mode in the Computer Section of the GPO.
> >> UserConfig GPO - remove Authenticated Users, add TS Users group.
> >>   - Set all the settings you like in the User section of the GPO
> >>   - Start small and add more later.
> >> Add TS Users group to local TS server RDU group.
> >> You should be good to go.
>
> >> You may want to checkhttp://www.sessioncomputing.com/how-to.htm
> >> also.  Loads of info here.
>
> >> moncho- Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> >> - Show quoted text -
>
> > Thank you both very much for replying. I have the GP working and here
> > are the things I did to make it work. I just do not know what fixed it
> > (made more than one thing or all did):
>
> > 1. On the GP of the TS OU, I removed Authenticated users from the
> > Security tab (Filtering). I ensured that the TS machine and the 'TS
> > Users' group was listed and had Read/Apply rights.
>
> This is to stop the GP from applying to a user in the Administrator
> group.  You do not want all the restrictions on the admin.
>
> > 2. On the GP, checked 'Block Policy Inheritence' -- I read this in
> > another article but do not see it mentioned often so had originally
> > not done this.
> > 3. Made the 'TS Users' group a member of the Local Remote Desktop
> > Users on the TS.
> > 4. Ran gpupdate/force on the TS, not the DC.  Did not know this...and
> > not sure I understand why this is done on the TS when the DC has
> > Active Directory.
>
> You run gpudate /force on the system that you want to update (i.e. TS
> server or desktop).  It "grabs" the new policy "from" A/D.
>
>
>
> > Question(s):
>
> > 1. Vera, you mention running 'Resultant Set of Policies'. How is that
> > done specifically -either for a Security group or an individual User?
> > I should know how to do this for future troubleshooting...I have read
> > that you need the Resource Kit to do this?
>
> You will do this on a machine or individual user.  I can be done from
> within the GPMC.
>
> Right Click on Group Policy Results -> Group Policy Results Wizard.
>
> If you have Windows Firewall enable on the machine you are
> trying to get the results from, it may block the Wizard.  I do not know
> what ports to open for this to work correctly.  Maybe Vera knows.
>
>
>
> > 2. With regards to setting up separate GPOs, one for the Computer
> > Configuration and one for the Users, what is considered best practice?
>
> Like I mentioned earlier, I think creating two OU's is better.  By
> keeping the Computer Config GPO with loopback processing separate, it is
> easier on other admins (IMHO).  I believe this should be a best
> practice if it is not already.  To me, loopback processing is
> a "big time" change and should be in its own GPO.  Especially for
> troubleshooting purposes.
>
> moncho- Hide quoted text -
>
> - Show quoted text -

Thanks again. You have both been very helpful!
 
Re: GP/OU Problem/Question

compsosinc@gmail.com wrote on 15 feb 2008 in
microsoft.public.windows.terminal_services:

> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:
>> compsos...@gmail.com wrote:
>> > On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
>> >> compsos...@gmail.com wrote:
>> >>> In a VirtualPC setup (test lab), I am using Windows 2003
>> >>> Server as a DC and a separate Windows 2003 member server as
>> >>> the TS. I am having a problem getting any Group Policy
>> >>> changes to take effect for an XP Pro client that logs into
>> >>> the TS --using what I thought was the proper method of
>> >>> setting this up. Here are my notes on what I have done so
>> >>> far:
>> >>> 1. Create OU & GPO for the TS:
>> >>> a. In AD of DC, create an OU called: 'Terminal Servers'
>> >>> b. Move TS machine into this OU.
>> >>> c. Right click 'Terminal Servers' OU, and go to properties.
>> >>> Click on GP tab
>> >>> d. Click 'New' and name GP (ex, TS Users GP)
>> >>> 2. Create TestUser(s) in AD:
>> >>> a. Create username/password (ex., TestUser1)
>> >>> b. Ensure that TestUser1 is a member of Domain Users &
>> >>> Remote Desktop Users
>> >>> -   If creating a separate Security Group for 'TS Users',
>> >>> do not mak
> e
>> >>> user member of RDU. Make the Security group (Step 3) member
>> >>> of RDU. 3. Create Security Group for TS Users & TS desktop
>> >>> a. Create a new Security group called 'TS Users' in AD.
>> >>> b. Ensure the 'TS Users' group is a member of RDU group.
>> >> Make sure you add 'TS Users' group to the local 2003 TS
>> >> server RDU group.
>>
>> >>> c. Populate the 'TS Users' group with the user account(s)
>> >>> --her, the Testuser1 account
>> >>> d. Test login to the TS with a user account = ok
>> >>> 4. Edit GPO & Setup Edit for test:
>> >>> a.  In the User Configuration of the GPO, enabled "Remove
>> >>> My COmpute
> r'
>> >>> icon from Start menu
>> >>> b.  Enabled loopback processing
>> >> I have found it easier and more reliable to put the loopback
>> >> processing
>
>> >> in the Computer Configuration section of its own GPO in the
>> >> Terminal Servers OU.  Also, you may want to set it to
>> >> "replace" mode.
>>
>> >> Create a UserConfig GPO in the Terminal Server OU and with
>> >> only your security group.
>>
>> >>> c.  On the Security Tab of the GP, added the TS Machine and
>> >>> the 'TS Users' Security group with Read & Apply settings
>> >> You will want to remove the Authenticated Users group also.
>>
>> >>> b.  Gpupdate/force on DC
>> >>> Problem:
>> >>> The edit to the GP does not work...the 'My Computer icon
>> >>> remian when I
>
>> >>> login into the TS from the XPP client. I had begun with
>> >>> Folder redirection and it wasn't working so I tried
>> >>> something simpler.. Resolution?
>> >>> Based on what I read in a NG posting, I moved my
>> >>> 'Testuser1' user account into the OU with the TS machine
>> >>> and the GP works! Everything (most anyway) I researched
>> >>> prior to this setup indicated to
>
>> >>> not put the user accounts into the new OU. If I move the
>> >>> Security Group I created into the OU (of which TestUser1 is
>> >>> a member of) the GP
>
>> >>> does not work...
>> >> You do not want to put users in the Terminal Servers OU.
>> >>  This OU should be for TS servers only, not users.
>>
>> >>> What is the correct way to apply a GP to a group of Users,
>> >>> such as the
>
>> >>> group 'TS Users'?
>> >>> PS I also read article "Understanding Group Policy in a TS
>> >>> Environment" in which  two GPO are linked to thenew OU -one
>> >>> for the machine & one for the user configuration. Is this a
>> >>> better method?
>> >> I like to do it this way myself.  It helps to keep things
>> >> simplified.
>
>> >> At least for me.
>>
>> >> Basic setup will be:
>>
>> >> OU for TS servers
>> >> ComputerConfig GPO for TS Servers with Loopback processing
>> >> set to replace mode in the Computer Section of the GPO.
>> >> UserConfig GPO - remove Authenticated Users, add TS Users
>> >> group.   - Set all the settings you like in the User section
>> >> of the GPO   - Start small and add more later.
>> >> Add TS Users group to local TS server RDU group.
>> >> You should be good to go.
>>
>> >> You may want to
>> >> checkhttp://www.sessioncomputing.com/how-to.htm also.  Loads
>> >> of info here.
>>
>> >> moncho- Hide quoted text -
>>
>> >> - Show quoted text -- Hide quoted text -
>>
>> >> - Show quoted text -
>>
>> > Thank you both very much for replying. I have the GP working
>> > and here are the things I did to make it work. I just do not
>> > know what fixed it (made more than one thing or all did):
>>
>> > 1. On the GP of the TS OU, I removed Authenticated users from
>> > the Security tab (Filtering). I ensured that the TS machine
>> > and the 'TS Users' group was listed and had Read/Apply
>> > rights.
>>
>> This is to stop the GP from applying to a user in the
>> Administrator group.  You do not want all the restrictions on
>> the admin.
>>
>> > 2. On the GP, checked 'Block Policy Inheritence' -- I read
>> > this in another article but do not see it mentioned often so
>> > had originally not done this.
>> > 3. Made the 'TS Users' group a member of the Local Remote
>> > Desktop Users on the TS.
>> > 4. Ran gpupdate/force on the TS, not the DC.  Did not know
>> > this...and not sure I understand why this is done on the TS
>> > when the DC has Active Directory.
>>
>> You run gpudate /force on the system that you want to update
>> (i.e. TS server or desktop).  It "grabs" the new policy "from"
>> A/D.
>>
>>
>>
>> > Question(s):
>>
>> > 1. Vera, you mention running 'Resultant Set of Policies'. How
>> > is that done specifically -either for a Security group or an
>> > individual User? I should know how to do this for future
>> > troubleshooting...I have read that you need the Resource Kit
>> > to do this?
>>
>> You will do this on a machine or individual user.  I can be
>> done from within the GPMC.
>>
>> Right Click on Group Policy Results -> Group Policy Results
>> Wizard.
>>
>> If you have Windows Firewall enable on the machine you are
>> trying to get the results from, it may block the Wizard.  I do
>> not know what ports to open for this to work correctly.  Maybe
>> Vera knows.
>>
>>
>>
>> > 2. With regards to setting up separate GPOs, one for the
>> > Computer Configuration and one for the Users, what is
>> > considered best practice?
>>
>> Like I mentioned earlier, I think creating two OU's is better.
>>  By keeping the Computer Config GPO with loopback processing
>> separate, it is easier on other admins (IMHO).  I believe this
>> should be a best practice if it is not already.  To me,
>> loopback processing is a "big time" change and should be in its
>> own GPO.  Especially for troubleshooting purposes.
>>
>> moncho- Hide quoted text -
>>
>> - Show quoted text -
>
> Thanks again. You have both been very helpful!

Glad you got it solved. And I believe that the solution was point
> 3. Made the 'TS Users' group a member of the Local Remote
> Desktop Users on the TS.

That was a good catch, moncho, I missed that!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: GP/OU Problem/Question

Vera Noest [MVP] wrote:
> compsosinc@gmail.com wrote on 15 feb 2008 in
> microsoft.public.windows.terminal_services:
>
>> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:
>>> compsos...@gmail.com wrote:
>>>> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
>>>>> compsos...@gmail.com wrote:
>>>>>> In a VirtualPC setup (test lab), I am using Windows 2003
>>>>>> Server as a DC and a separate Windows 2003 member server as
>>>>>> the TS. I am having a problem getting any Group Policy
>>>>>> changes to take effect for an XP Pro client that logs into
>>>>>> the TS --using what I thought was the proper method of
>>>>>> setting this up. Here are my notes on what I have done so
>>>>>> far:
>>>>>> 1. Create OU & GPO for the TS:
>>>>>> a. In AD of DC, create an OU called: 'Terminal Servers'
>>>>>> b. Move TS machine into this OU.
>>>>>> c. Right click 'Terminal Servers' OU, and go to properties.
>>>>>> Click on GP tab
>>>>>> d. Click 'New' and name GP (ex, TS Users GP)
>>>>>> 2. Create TestUser(s) in AD:
>>>>>> a. Create username/password (ex., TestUser1)
>>>>>> b. Ensure that TestUser1 is a member of Domain Users &
>>>>>> Remote Desktop Users
>>>>>> - If creating a separate Security Group for 'TS Users',
>>>>>> do not mak
>> e
>>>>>> user member of RDU. Make the Security group (Step 3) member
>>>>>> of RDU. 3. Create Security Group for TS Users & TS desktop
>>>>>> a. Create a new Security group called 'TS Users' in AD.
>>>>>> b. Ensure the 'TS Users' group is a member of RDU group.
>>>>> Make sure you add 'TS Users' group to the local 2003 TS
>>>>> server RDU group.
>>>>>> c. Populate the 'TS Users' group with the user account(s)
>>>>>> --her, the Testuser1 account
>>>>>> d. Test login to the TS with a user account = ok
>>>>>> 4. Edit GPO & Setup Edit for test:
>>>>>> a. In the User Configuration of the GPO, enabled "Remove
>>>>>> My COmpute
>> r'
>>>>>> icon from Start menu
>>>>>> b. Enabled loopback processing
>>>>> I have found it easier and more reliable to put the loopback
>>>>> processing
>>>>> in the Computer Configuration section of its own GPO in the
>>>>> Terminal Servers OU. Also, you may want to set it to
>>>>> "replace" mode.
>>>>> Create a UserConfig GPO in the Terminal Server OU and with
>>>>> only your security group.
>>>>>> c. On the Security Tab of the GP, added the TS Machine and
>>>>>> the 'TS Users' Security group with Read & Apply settings
>>>>> You will want to remove the Authenticated Users group also.
>>>>>> b. Gpupdate/force on DC
>>>>>> Problem:
>>>>>> The edit to the GP does not work...the 'My Computer icon
>>>>>> remian when I
>>>>>> login into the TS from the XPP client. I had begun with
>>>>>> Folder redirection and it wasn't working so I tried
>>>>>> something simpler.. Resolution?
>>>>>> Based on what I read in a NG posting, I moved my
>>>>>> 'Testuser1' user account into the OU with the TS machine
>>>>>> and the GP works! Everything (most anyway) I researched
>>>>>> prior to this setup indicated to
>>>>>> not put the user accounts into the new OU. If I move the
>>>>>> Security Group I created into the OU (of which TestUser1 is
>>>>>> a member of) the GP
>>>>>> does not work...
>>>>> You do not want to put users in the Terminal Servers OU.
>>>>> This OU should be for TS servers only, not users.
>>>>>> What is the correct way to apply a GP to a group of Users,
>>>>>> such as the
>>>>>> group 'TS Users'?
>>>>>> PS I also read article "Understanding Group Policy in a TS
>>>>>> Environment" in which two GPO are linked to thenew OU -one
>>>>>> for the machine & one for the user configuration. Is this a
>>>>>> better method?
>>>>> I like to do it this way myself. It helps to keep things
>>>>> simplified.
>>>>> At least for me.
>>>>> Basic setup will be:
>>>>> OU for TS servers
>>>>> ComputerConfig GPO for TS Servers with Loopback processing
>>>>> set to replace mode in the Computer Section of the GPO.
>>>>> UserConfig GPO - remove Authenticated Users, add TS Users
>>>>> group. - Set all the settings you like in the User section
>>>>> of the GPO - Start small and add more later.
>>>>> Add TS Users group to local TS server RDU group.
>>>>> You should be good to go.
>>>>> You may want to
>>>>> checkhttp://www.sessioncomputing.com/how-to.htm also. Loads
>>>>> of info here.
>>>>> moncho- Hide quoted text -
>>>>> - Show quoted text -- Hide quoted text -
>>>>> - Show quoted text -
>>>> Thank you both very much for replying. I have the GP working
>>>> and here are the things I did to make it work. I just do not
>>>> know what fixed it (made more than one thing or all did):
>>>> 1. On the GP of the TS OU, I removed Authenticated users from
>>>> the Security tab (Filtering). I ensured that the TS machine
>>>> and the 'TS Users' group was listed and had Read/Apply
>>>> rights.
>>> This is to stop the GP from applying to a user in the
>>> Administrator group. You do not want all the restrictions on
>>> the admin.
>>>
>>>> 2. On the GP, checked 'Block Policy Inheritence' -- I read
>>>> this in another article but do not see it mentioned often so
>>>> had originally not done this.
>>>> 3. Made the 'TS Users' group a member of the Local Remote
>>>> Desktop Users on the TS.
>>>> 4. Ran gpupdate/force on the TS, not the DC. Did not know
>>>> this...and not sure I understand why this is done on the TS
>>>> when the DC has Active Directory.
>>> You run gpudate /force on the system that you want to update
>>> (i.e. TS server or desktop). It "grabs" the new policy "from"
>>> A/D.
>>>
>>>
>>>
>>>> Question(s):
>>>> 1. Vera, you mention running 'Resultant Set of Policies'. How
>>>> is that done specifically -either for a Security group or an
>>>> individual User? I should know how to do this for future
>>>> troubleshooting...I have read that you need the Resource Kit
>>>> to do this?
>>> You will do this on a machine or individual user. I can be
>>> done from within the GPMC.
>>>
>>> Right Click on Group Policy Results -> Group Policy Results
>>> Wizard.
>>>
>>> If you have Windows Firewall enable on the machine you are
>>> trying to get the results from, it may block the Wizard. I do
>>> not know what ports to open for this to work correctly. Maybe
>>> Vera knows.
>>>
>>>
>>>
>>>> 2. With regards to setting up separate GPOs, one for the
>>>> Computer Configuration and one for the Users, what is
>>>> considered best practice?
>>> Like I mentioned earlier, I think creating two OU's is better.
>>> By keeping the Computer Config GPO with loopback processing
>>> separate, it is easier on other admins (IMHO). I believe this
>>> should be a best practice if it is not already. To me,
>>> loopback processing is a "big time" change and should be in its
>>> own GPO. Especially for troubleshooting purposes.
>>>
>>> moncho- Hide quoted text -
>>>
>>> - Show quoted text -
>> Thanks again. You have both been very helpful!
>
> Glad you got it solved. And I believe that the solution was point
>> 3. Made the 'TS Users' group a member of the Local Remote
>> Desktop Users on the TS.
>
> That was a good catch, moncho, I missed that!

Thanks Vera. I appreciate that.

I wonder if MS could come up with some way in A/D to just add users
to the domain RDU group and be done. That would make life easier.
I know there would need to be a way to limit the domain RDU to
specific machines for security reasons though...

moncho
 
Re: GP/OU Problem/Question

moncho <moncho@NOspmanywhere.com> wrote on 16 feb 2008 in
microsoft.public.windows.terminal_services:

> Vera Noest [MVP] wrote:
>> compsosinc@gmail.com wrote on 15 feb 2008 in
>> microsoft.public.windows.terminal_services:
>>
>>> On Feb 15, 9:38 am, moncho <mon...@NOspmanywhere.com> wrote:
>>>> compsos...@gmail.com wrote:
>>>>> On Feb 15, 6:56 am, moncho <mon...@NOspmanywhere.com> wrote:
>>>>>> compsos...@gmail.com wrote:
>>>>>>> In a VirtualPC setup (test lab), I am using Windows 2003
>>>>>>> Server as a DC and a separate Windows 2003 member server as
>>>>>>> the TS. I am having a problem getting any Group Policy
>>>>>>> changes to take effect for an XP Pro client that logs into
>>>>>>> the TS --using what I thought was the proper method of
>>>>>>> setting this up. Here are my notes on what I have done so
>>>>>>> far:
>>>>>>> 1. Create OU & GPO for the TS:
>>>>>>> a. In AD of DC, create an OU called: 'Terminal Servers'
>>>>>>> b. Move TS machine into this OU.
>>>>>>> c. Right click 'Terminal Servers' OU, and go to properties.
>>>>>>> Click on GP tab
>>>>>>> d. Click 'New' and name GP (ex, TS Users GP)
>>>>>>> 2. Create TestUser(s) in AD:
>>>>>>> a. Create username/password (ex., TestUser1)
>>>>>>> b. Ensure that TestUser1 is a member of Domain Users &
>>>>>>> Remote Desktop Users
>>>>>>> - If creating a separate Security Group for 'TS Users',
>>>>>>> do not mak
>>> e
>>>>>>> user member of RDU. Make the Security group (Step 3) member
>>>>>>> of RDU. 3. Create Security Group for TS Users & TS desktop
>>>>>>> a. Create a new Security group called 'TS Users' in AD.
>>>>>>> b. Ensure the 'TS Users' group is a member of RDU group.
>>>>>> Make sure you add 'TS Users' group to the local 2003 TS
>>>>>> server RDU group.
>>>>>>> c. Populate the 'TS Users' group with the user account(s)
>>>>>>> --her, the Testuser1 account
>>>>>>> d. Test login to the TS with a user account = ok
>>>>>>> 4. Edit GPO & Setup Edit for test:
>>>>>>> a. In the User Configuration of the GPO, enabled "Remove
>>>>>>> My COmpute
>>> r'
>>>>>>> icon from Start menu
>>>>>>> b. Enabled loopback processing
>>>>>> I have found it easier and more reliable to put the loopback
>>>>>> processing
>>>>>> in the Computer Configuration section of its own GPO in the
>>>>>> Terminal Servers OU. Also, you may want to set it to
>>>>>> "replace" mode.
>>>>>> Create a UserConfig GPO in the Terminal Server OU and with
>>>>>> only your security group.
>>>>>>> c. On the Security Tab of the GP, added the TS Machine and
>>>>>>> the 'TS Users' Security group with Read & Apply settings
>>>>>> You will want to remove the Authenticated Users group also.
>>>>>>> b. Gpupdate/force on DC
>>>>>>> Problem:
>>>>>>> The edit to the GP does not work...the 'My Computer icon
>>>>>>> remian when I
>>>>>>> login into the TS from the XPP client. I had begun with
>>>>>>> Folder redirection and it wasn't working so I tried
>>>>>>> something simpler.. Resolution?
>>>>>>> Based on what I read in a NG posting, I moved my
>>>>>>> 'Testuser1' user account into the OU with the TS machine
>>>>>>> and the GP works! Everything (most anyway) I researched
>>>>>>> prior to this setup indicated to
>>>>>>> not put the user accounts into the new OU. If I move the
>>>>>>> Security Group I created into the OU (of which TestUser1 is
>>>>>>> a member of) the GP
>>>>>>> does not work...
>>>>>> You do not want to put users in the Terminal Servers OU.
>>>>>> This OU should be for TS servers only, not users.
>>>>>>> What is the correct way to apply a GP to a group of Users,
>>>>>>> such as the
>>>>>>> group 'TS Users'?
>>>>>>> PS I also read article "Understanding Group Policy in a TS
>>>>>>> Environment" in which two GPO are linked to thenew OU -one
>>>>>>> for the machine & one for the user configuration. Is this a
>>>>>>> better method?
>>>>>> I like to do it this way myself. It helps to keep things
>>>>>> simplified.
>>>>>> At least for me.
>>>>>> Basic setup will be:
>>>>>> OU for TS servers
>>>>>> ComputerConfig GPO for TS Servers with Loopback processing
>>>>>> set to replace mode in the Computer Section of the GPO.
>>>>>> UserConfig GPO - remove Authenticated Users, add TS Users
>>>>>> group. - Set all the settings you like in the User section
>>>>>> of the GPO - Start small and add more later.
>>>>>> Add TS Users group to local TS server RDU group.
>>>>>> You should be good to go.
>>>>>> You may want to
>>>>>> checkhttp://www.sessioncomputing.com/how-to.htm also. Loads
>>>>>> of info here.
>>>>>> moncho- Hide quoted text -
>>>>>> - Show quoted text -- Hide quoted text -
>>>>>> - Show quoted text -
>>>>> Thank you both very much for replying. I have the GP working
>>>>> and here are the things I did to make it work. I just do not
>>>>> know what fixed it (made more than one thing or all did):
>>>>> 1. On the GP of the TS OU, I removed Authenticated users from
>>>>> the Security tab (Filtering). I ensured that the TS machine
>>>>> and the 'TS Users' group was listed and had Read/Apply
>>>>> rights.
>>>> This is to stop the GP from applying to a user in the
>>>> Administrator group. You do not want all the restrictions on
>>>> the admin.
>>>>
>>>>> 2. On the GP, checked 'Block Policy Inheritence' -- I read
>>>>> this in another article but do not see it mentioned often so
>>>>> had originally not done this.
>>>>> 3. Made the 'TS Users' group a member of the Local Remote
>>>>> Desktop Users on the TS.
>>>>> 4. Ran gpupdate/force on the TS, not the DC. Did not know
>>>>> this...and not sure I understand why this is done on the TS
>>>>> when the DC has Active Directory.
>>>> You run gpudate /force on the system that you want to update
>>>> (i.e. TS server or desktop). It "grabs" the new policy "from"
>>>> A/D.
>>>>
>>>>
>>>>
>>>>> Question(s):
>>>>> 1. Vera, you mention running 'Resultant Set of Policies'. How
>>>>> is that done specifically -either for a Security group or an
>>>>> individual User? I should know how to do this for future
>>>>> troubleshooting...I have read that you need the Resource Kit
>>>>> to do this?
>>>> You will do this on a machine or individual user. I can be
>>>> done from within the GPMC.
>>>>
>>>> Right Click on Group Policy Results -> Group Policy Results
>>>> Wizard.
>>>>
>>>> If you have Windows Firewall enable on the machine you are
>>>> trying to get the results from, it may block the Wizard. I do
>>>> not know what ports to open for this to work correctly. Maybe
>>>> Vera knows.
>>>>
>>>>
>>>>
>>>>> 2. With regards to setting up separate GPOs, one for the
>>>>> Computer Configuration and one for the Users, what is
>>>>> considered best practice?
>>>> Like I mentioned earlier, I think creating two OU's is better.
>>>> By keeping the Computer Config GPO with loopback processing
>>>> separate, it is easier on other admins (IMHO). I believe this
>>>> should be a best practice if it is not already. To me,
>>>> loopback processing is a "big time" change and should be in
its
>>>> own GPO. Especially for troubleshooting purposes.
>>>>
>>>> moncho- Hide quoted text -
>>>>
>>>> - Show quoted text -
>>> Thanks again. You have both been very helpful!
>>
>> Glad you got it solved. And I believe that the solution was
point
>>> 3. Made the 'TS Users' group a member of the Local Remote
>>> Desktop Users on the TS.
>>
>> That was a good catch, moncho, I missed that!
>
> Thanks Vera. I appreciate that.
>
> I wonder if MS could come up with some way in A/D to just add
users
> to the domain RDU group and be done. That would make life
easier.
> I know there would need to be a way to limit the domain RDU to
> specific machines for security reasons though...
>
> moncho

Well, you can make a habit of adding the domain-wide RDU group to
the local RDU group on every TS, and then add users to the domain-
wide RDU group. But as you say, that's only a more efficient if all
users have access to all Terminal Servers.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: GP/OU Problem/Question

Hi Vera,

There is no domain-wide RDU group, it is actually a builtin-local
group for the DCs. You can't make a local group a member of
another machine's local group.

To accomplish the goal they would need to create a group on the
domain and then make it a member of each terminal server's local
RDU group.

-TP

Vera Noest [MVP] wrote:
> Well, you can make a habit of adding the domain-wide RDU group to
> the local RDU group on every TS, and then add users to the domain-
> wide RDU group. But as you say, that's only a more efficient if all
> users have access to all Terminal Servers.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
 

Similar threads

C
Apple Watch and Fitbit users with heart conditions are more likely to get medical procedures
Replies
0
Views
111
Chris Smith
C
C
Signal exposed Facebook’s terrifying user tracking in the best possible way
Replies
0
Views
106
Chris Smith
C
M
Study saves wolves constantly but quietly save human lives – here’s how
Replies
0
Views
81
Mike Wehner
M
C
WhatsApp launches encrypted backups on iPhone and Android
Replies
0
Views
101
Chris Smith
C
A
Russian hackers are getting even more brazen in the US
Replies
0
Views
83
Andy Meek
A
Back
Top