Ok, i am stumped on this one, Remove VPN option on TS

  • Thread starter Thread starter Noob
  • Start date Start date
N

Noob

Guest
I need to remove the ability to create VPN connections off of only 1
terminal server.

I know that I can create a new OU and move the TS server to there.
Create a new GPO and make the change to "Network/Network Connections"
section and apply it to that OU. But this is a "User Configuration"
and will not apply to that server because there is no users under that
OU (correct me if I am wrong on that).

I can't apply the new GPO to the users OU because they make other VPN
connection.

So, how do I remove the ability to create VPN connections off of 1
Terminal Server? I have looked under the Local Security Settings but I
am not able to find anything there.

Any help would be welcome
~am a noob~
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

Re: Ok, i am stumped on this one, Remove VPN option on TS

Anyone?
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

Noob wrote:
> I need to remove the ability to create VPN connections off of only 1
> terminal server.
How many TS servers do you have in their own OU?

>
> I know that I can create a new OU and move the TS server to there.
> Create a new GPO and make the change to "Network/Network Connections"
> section and apply it to that OU. But this is a "User Configuration"
> and will not apply to that server because there is no users under that
> OU (correct me if I am wrong on that).
Sure it will apply to users, but only on these specific TS servers.

>
> I can't apply the new GPO to the users OU because they make other VPN
> connection.

You would apply it to the TS server OU.

>
> So, how do I remove the ability to create VPN connections off of 1
> Terminal Server? I have looked under the Local Security Settings but I
> am not able to find anything there.

Just create another GPO and set the security for the specific
TS server computer account.

> Any help would be welcome
> ~am a noob~

moncho
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

To apply the user settings from the GPO which is linked to the OU
which contains the TS machine account, you have to use loopback
processing of the GPO. Normally, you'll want to use it with the
"Replace" option, but in your case you might want to try "Merge"
instead.

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode"

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

Noob <jmacdonald@dmsi.com> wrote on 07 apr 2008 in
microsoft.public.windows.terminal_services:

> I need to remove the ability to create VPN connections off of
> only 1 terminal server.
>
> I know that I can create a new OU and move the TS server to
> there. Create a new GPO and make the change to "Network/Network
> Connections" section and apply it to that OU. But this is a
> "User Configuration" and will not apply to that server because
> there is no users under that OU (correct me if I am wrong on
> that).
>
> I can't apply the new GPO to the users OU because they make
> other VPN connection.
>
> So, how do I remove the ability to create VPN connections off of
> 1 Terminal Server? I have looked under the Local Security
> Settings but I am not able to find anything there.
>
> Any help would be welcome
> ~am a noob~
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

moncho <moncho@NOspmanywhere.com> wrote on 07 apr 2008 in
microsoft.public.windows.terminal_services:

> Noob wrote:
>> I need to remove the ability to create VPN connections off of
>> only 1 terminal server.
> How many TS servers do you have in their own OU?
>
>> I know that I can create a new OU and move the TS server to
>> there. Create a new GPO and make the change to "Network/Network
>> Connections" section and apply it to that OU. But this is a
>> "User Configuration" and will not apply to that server because
>> there is no users under that OU (correct me if I am wrong on
>> that).
> Sure it will apply to users, but only on these specific TS
> servers.

No, it will not, not without loopback processing of the GPO.

Assume that we have a TS-OU, which contains the TS machine accounts
and a TS-GPO linked to it, and we have a Users-OU, with the user
accounts in it and a Users-GPO linked to it.
If a user logs on to a TS, the following will happen:
1) the Computer Configuration settings of the TS-GPO are applied
2) the User Configurations of the TS-GPO are ignored
3) the Computer Configuration settings of the Users-GPO are ignored
4) the User Configuration settings of the User-GPO are applied

This is the default way of applying GPOs. The only way to change
that is to configure loopback processing of the GPO.

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

Vera Noest [MVP] wrote:
> moncho <moncho@NOspmanywhere.com> wrote on 07 apr 2008 in
> microsoft.public.windows.terminal_services:
>
>> Noob wrote:
>>> I need to remove the ability to create VPN connections off of
>>> only 1 terminal server.
>> How many TS servers do you have in their own OU?
>>
>>> I know that I can create a new OU and move the TS server to
>>> there. Create a new GPO and make the change to "Network/Network
>>> Connections" section and apply it to that OU. But this is a
>>> "User Configuration" and will not apply to that server because
>>> there is no users under that OU (correct me if I am wrong on
>>> that).
>> Sure it will apply to users, but only on these specific TS
>> servers.
>
> No, it will not, not without loopback processing of the GPO.
My apologies. I made a bad assumption. Oops.

Thanks for the correction.
>
> Assume that we have a TS-OU, which contains the TS machine accounts
> and a TS-GPO linked to it, and we have a Users-OU, with the user
> accounts in it and a Users-GPO linked to it.
> If a user logs on to a TS, the following will happen:
> 1) the Computer Configuration settings of the TS-GPO are applied
> 2) the User Configurations of the TS-GPO are ignored
> 3) the Computer Configuration settings of the Users-GPO are ignored
> 4) the User Configuration settings of the User-GPO are applied
>
> This is the default way of applying GPOs. The only way to change
> that is to configure loopback processing of the GPO.
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287

moncho
 
Re: Ok, i am stumped on this one, Remove VPN option on TS

Re: Ok, i am stumped on this one, Remove VPN option on TS

Cool, never knew about looping gpo's. Learn something new every day.


Thanks for the info.

I will see if I can get this setup and working.

Thank you all for the help.
~Noob~
 
Back
Top