Re: Restrict PC desktop, but not TS session desktop
Yes, that's correct, Simeon.
When users log on to their PCs, they are affected by the Computer
settings in any policies that apply to their PCs (like domain wide
polices) + the User settings in the GPO linked to the Department
OU. This is the normal aplication of GPOs. So you can restrict them
in these GPOs.
When users then connect to the TS (which has a GPO including the
loopback processing setting), they are affected by the Computer
settings *AND* the User settings from the GPO linked to the TS OU.
So here you configure Office and whatever other settings you want
on the TS, both Computer and User Configuration.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008 in
microsoft.public.windows.terminal_services:
> To get this clear in my head:
> The way my AD is configured is as follows, with all users in an
> Department. Lets call it Dept1 for this example. Each Dept has a
> GPO. There is a GPO for the top level Terminal Servers group.
> So something like:
>
> Departments
> Dept1
> Dept2
> Dept3
> Terminal Servers
> Term01
> Term02
> Term03
> Term04
>
> At the moment, the Dept1 GPO has all the settings for MS Office,
> and some other programs
> The TS GPO has settings for the Terminal Server, including MSI
> installs and some other stuff.
>
> If I use loopback, I should
> 1) Move the MS Office settings from Dept1 to the TS GPO.
> 2) In the Dept1 GPO, enable the options to restrict the
> desktop and
> Start Menu
> 3) In the TS GPO, loopback processing" with the "Replace"
> option.
>
> Am I right in this? I think I'm right on 2 + 3 above, its which
> settings I have to move that I'm unsure of.
>
> Thanks
> Simeon
>
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote
> in message
> news:Xns9AF7A65989496veranoesthemutforsse@207.46.248.16...
>> You can create a GPO linked to the TS *without* the
>> restrictions, and then configure this GPO to use "loopback
>> processing" with the "Replace" option.
>> That makes sure that your users are not affected by the GPO
>> which locks down their workstation logons.
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> *----------- Please reply in newsgroup -------------*
>>
>>
>> "SimeonD" <simeond@nospam.nospam> wrote on 11 aug 2008:
>>
>>> That is true! But won't that also hide it in the TS session
>>> desktop also? Or is there a way to apply this to the PC, but
>>> not to the TS? The Policy I'm looking at is in
>>> User Configuration\Admin Templates\Start Menu and Taskbar
>>> It seems to have all the options I need, but I don't see how
>>> to apply it to the PC only.
>>>
>>> Thanks for your help
>>>
>>>
>>>
>>>
>>> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
>>> news:O46%23a55%23IHA.1184@TK2MSFTNGP04.phx.gbl...
>>>> Group Policy can do this pretty easily.
>>>>
>>>> --
>>>> Jeff Pitsch
>>>> Microsoft MVP - Terminal Services
>>>>
>>>> "SimeonD" <simeond@nospam.nospam> wrote in message
>>>> news:uMtSAX5%23IHA.3756@TK2MSFTNGP03.phx.gbl...
>>>>> Hi
>>>>> When the user logs onto their PC, the script then logs them
>>>>> onto a Terminal Server session. I'd like to make sure there
>>>>> is nothing on the PC desktop, and only 'Printer' icon on the
>>>>> Start Menu. Any programs should be run via the Terminal
>>>>> Server. Is there a 'best way' to do this?
>>>>> Thanks
>>>>> Simoen 