Applying Group Policy to few users on Terminal server that is a DC

  • Thread starter Thread starter SDBolts
  • Start date Start date
S

SDBolts

Guest
Hello all,

I'm setting up a small office that will only have one server that will act
as a DC and the Terminal server. I want to lock down a group of users
terminal service desktop, to allow only two application they can use. Here
is my problem, I have found some articles that got me close.
http://support.microsoft.com/kb/260370 is one have got me the closest, but
when I use Method 2 of this article, it also locks down the Administrator's
desktop on both terminal and console desktops.

Here are the steps I have taken:
1. Created a new GPO (with all the User Configuration settings needed) on
the Domain Controller's OU
2. I enable the loopback processing (tried both merge and replace modes) on
that GPO
3. Then I add the DC's computer account to the GPO

This all works great, the Terminal session Desktops get complete locked
down. But is also locks down the administrators desktop on both terminal and
console sessions.

So trying to fix this, ...

4. I go into the properties of the GPO, click on security, then add the
administrators group, then give the Deny "Apply Group Policy" permission to
the administrators group.

This works but also disables the GPO for all users. So I can get the GPO
working for all accounts or for none of them. What am i doing wrong, i just
need this GPO to apply to a select group of users???

Thanks for your time and help,
--
Nick H. MCSE,CCNA
 
RE: Applying Group Policy to few users on Terminal server that is a DC

Sorry by the way. Its a Windows 2003 Standard Server with SP3
--
Nick H. MCSE,CCNA


"SDBolts" wrote:

> Hello all,
>
> I'm setting up a small office that will only have one server that will act
> as a DC and the Terminal server. I want to lock down a group of users
> terminal service desktop, to allow only two application they can use. Here
> is my problem, I have found some articles that got me close.
> http://support.microsoft.com/kb/260370 is one have got me the closest, but
> when I use Method 2 of this article, it also locks down the Administrator's
> desktop on both terminal and console desktops.
>
> Here are the steps I have taken:
> 1. Created a new GPO (with all the User Configuration settings needed) on
> the Domain Controller's OU
> 2. I enable the loopback processing (tried both merge and replace modes) on
> that GPO
> 3. Then I add the DC's computer account to the GPO
>
> This all works great, the Terminal session Desktops get complete locked
> down. But is also locks down the administrators desktop on both terminal and
> console sessions.
>
> So trying to fix this, ...
>
> 4. I go into the properties of the GPO, click on security, then add the
> administrators group, then give the Deny "Apply Group Policy" permission to
> the administrators group.
>
> This works but also disables the GPO for all users. So I can get the GPO
> working for all accounts or for none of them. What am i doing wrong, i just
> need this GPO to apply to a select group of users???
>
> Thanks for your time and help,
> --
> Nick H. MCSE,CCNA
 
Re: Applying Group Policy to few users on Terminal server that is a DC

Are your users administators as well? It sounds like they are......

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"SDBolts" <SDBolts@discussions.microsoft.com> wrote in message
news:40DA00D4-C128-432D-A79A-1A3C82D8E280@microsoft.com...
> Hello all,
>
> I'm setting up a small office that will only have one server that will act
> as a DC and the Terminal server. I want to lock down a group of users
> terminal service desktop, to allow only two application they can use.
> Here
> is my problem, I have found some articles that got me close.
> http://support.microsoft.com/kb/260370 is one have got me the closest, but
> when I use Method 2 of this article, it also locks down the
> Administrator's
> desktop on both terminal and console desktops.
>
> Here are the steps I have taken:
> 1. Created a new GPO (with all the User Configuration settings needed) on
> the Domain Controller's OU
> 2. I enable the loopback processing (tried both merge and replace modes)
> on
> that GPO
> 3. Then I add the DC's computer account to the GPO
>
> This all works great, the Terminal session Desktops get complete locked
> down. But is also locks down the administrators desktop on both terminal
> and
> console sessions.
>
> So trying to fix this, ...
>
> 4. I go into the properties of the GPO, click on security, then add the
> administrators group, then give the Deny "Apply Group Policy" permission
> to
> the administrators group.
>
> This works but also disables the GPO for all users. So I can get the GPO
> working for all accounts or for none of them. What am i doing wrong, i
> just
> need this GPO to apply to a select group of users???
>
> Thanks for your time and help,
> --
> Nick H. MCSE,CCNA
 

Similar threads

K
Windows 10 Edge browser as default browser through Group Policy not applying over VPN only, rest all applied successfully
Replies
0
Views
188
KV PRAKASH
K
T
Windows Server OS (2008, 2012, 2016) continues to use the old DNS addresses
Replies
0
Views
272
Todd Eichmann
T
C
Windows 7 Diagnosing and debugging Group Policy failures
Replies
0
Views
234
cjm51213_
C
S
Windows 10 Issue creating desktop shortcut thru GPO (AD, Windows 10 workstations)
Replies
0
Views
243
SteveBinReno
S
A
Mark Zuckerberg is about to ruin Facebook for the last group of people who don’t hate it yet
Replies
0
Views
126
Andy Meek
A
Back
Top