Re: Locking down local destops question
On Mar 3, 9:43 am, "Vera Noest [MVP]" <Vera.No...@remove-
this.hem.utfors.se> wrote:
> compsos...@gmail.com wrote on 03 mar 2008:
>
>
>
>
>
> > On Feb 29, 2:52 pm, "Vera Noest [MVP]" <vera.no...@remove-
> > this.hem.utfors.se> wrote:
> >> I would definitively use your method 2, i.e. place the computer
> >> accounts for the XP clients in a separate OU and create a
> >> separate GPO linked to this OU to lock them down.
>
> >> Sooner or later, you will probably want to have one or more
> >> settings which are different on the TS and the XP clients, and
> >> by creating different GPOs from the beginning, you have this
> >> flexibility.
>
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
>
> >> compsos...@gmail.com wrote on 29 feb 2008 in
> >> microsoft.public.windows.terminal_services:
>
> >> > In a test environment, we have setup an SBS2000 DC with a
> >> > Windows 2003 TS and XP Pro clients. We have successfully
> >> > applied a GPO to the OU that contains the TS for the
> >> > Testusers and the TS desktop is locked down-- with the
> >> > exception of a few items we cannot remove using a Windows2000
> >> > GP editor. We followed the standard procedure of moving the
> >> > TS into is own OU, adding the Testusers group to the
> >> > Security, removing 'Authenticated Users' from Security,
> >> > adding thte TS machine to the Security. We also enabled
> >> > "loopback processing" with the 'Replace' option.
>
> >> > On the XP Pro clients, the Testusers have no reason to use
> >> > any local resources as they only use what we give them on the
> >> > TS. So, since loopback policy is enabled with the "Replace"
> >> > option it has freed up the local desktop environment. We
> >> > would also like to lock these down so that the users cannot
> >> > get into Windows Explorer, Internet (we blocked with proxy
> >> > setting), My Computer, and if they stick in a flash drive it
> >> > does not read it, etc. They do not print anything locally.
>
> >> > How is the best way to approach locking down the local
> >> > desktops? There will be (10) computers involved.
>
> >> > 1. For instance, do we not use the 'Replace' option on
> >> > loopback processing?
>
> >> > 2. And/or do we put the (10) XP desktops into their own OU
> >> > and create a GP just for them?
>
> >> > Thanks- Hide quoted text -
>
> >> - Show quoted text -
>
> > I am having a problem getting any GPO settings to take effect
> > for controlling the local desktop environment on a "test
> > computer". The GPO for logging into the TS is working fine as
> > the TS desktop is restricted the way we want it to be.
>
> > Here is what we tried:
>
> > 1. Created an OU called TSClientPCs.
> > 2. Moved an XP Pro workstation from the "Computers" container
> > into this new OU.
> > 3. Created a new GPO (called gpoTSClients) for this OU and
> > checked "Block Policy Inheritance."
> > 4. On the Security Tab of this GPO, the following is listed:
> > Domain Admins (Deny Policy); System; TS Users (read/apply
> > policy) & XPP1VD (the workstation's desktops we are trying to
> > customize/restrict --set to Read/Apply Policy)
> > 5. We are logging into the domain on the XPP1VD workstation with
> > a User Account that is in the 'TS Users' group.
> > 6. In the User Configuration of the GPO in Step 3, as a test, we
> > tried to remove the "Run" command from the Start Menu.
>
> > 7. We ran gpupdate/force on the DC and on the XP workstation.
> > 8. We rebooted the workstation.
>
> > 9. The configuration/restriction in Step 6 did not work.
>
> > Why is this not working?
>
> Because you configure a User setting in a GPO which is linked to an
> OU which contains a computer.
>
> For this to work, you need either to use loopback processing of the
> GPO, or you need to configure the User setting in a GPO which is
> linked to the OU which contains the user account.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*- Hide quoted text -
>
> - Show quoted text -
Ok we figured out that if we "User setting in a GPO which is linked to
the OU which contains the user account." it works. But since we do not
want to move the User accounts into their own OU so we are trying "use
loopback processing of the GPO" for the 'TSClientPCs' OU that
currently contains (1) XP Pro workstation. For clarification, we have
a couple questions:
1. For the GPO linked to the TSClientPCs OU, what should be listed on
the Security Tab? We have, with read/apply policy, the following:
System (Read, Write, Create, Delete only)
TS Users (Read, Apply) - member of Remote Desktop
Users
XPP1 (Read/Apply) - this is the workstation whose
local desktop we want to control for any TS User.
Domain Admin (Deny)
We removed the "Authenticated Users"
We checked "Block Policy Inheritance"
Note: this structure of the Security Tab is identical to the one we
have for the GPO on the OU which contains the TS.
Does this look correct? Do we need to implement any "Override
settings"?
2. When we make changes to this GPO, how do we force the changes - on
the DC or the workstation?
Thanks again..