Applying GP to Users in a Terminal Server

  • Thread starter Thread starter Bob Feller
  • Start date Start date
B

Bob Feller

I have a user that has created a group in Active Directory. There is
an application on a terminal server that he wants the people in this
group to have access to this app and nothing else. Is there anything
special I need to do to implement this in a Terminal Server
enviornment? My plan is, and correct me if it's wrong (which is why
I'm posting here) to open gpedit on the Terminal Server, and go from
there. I want to know how to assign the rights to this specific group.


Thanks
 
Gpedit.msc will apply to ALL users that logon to that computer unless there is
an overriding GPO at the domain/OU level for the same defined settings. You
might want to consider putting those users in an OU with a GPO having user
configuration defined for those users. Then for instance you can configure the
allowed Windows application to contain only that application [user
configuration/administrative templates/system] . However those users would have
the same restrictions on any computer they logon to if they logon to other
domain computers with the same domain accounts. --- Steve
 
Also, the Computer Configuration, Administrative Templates, System, Group
Policy, "User Group Policy loopback processing mode" is useful for Terminal
Servers.

If this setting is enabled in a GPO that is linked to the OU containing the
Terminal Server computer and there is a GPO with User Configuration settings
in it linked to the OU containing the Terminal Server computer, the Group
Policy mechanism will also apply those User Configuration settings when the
user logs on to one of the computers in that OU.

This allows you to have different User Configuration settings for different
sets of computers (e.g. Terminal Servers in one set, workstations in
another). See
http://support.microsoft.com/default.aspx?scid=kb;en-us;260370 (also applies
to Terminal Services on Windows 2003 Server).

--
Bruce Sanderson MVP

It is perfectly useless to know the right answer to the wrong question.


Steven Umbach said:
Gpedit.msc will apply to ALL users that logon to that computer unless
there is
an overriding GPO at the domain/OU level for the same defined settings.
You
might want to consider putting those users in an OU with a GPO having user
configuration defined for those users. Then for instance you can configure
the
allowed Windows application to contain only that application [user
configuration/administrative templates/system] . However those users would
have
the same restrictions on any computer they logon to if they logon to other
domain computers with the same domain accounts. --- Steve


Bob Feller said:
I have a user that has created a group in Active Directory. There is
an application on a terminal server that he wants the people in this
group to have access to this app and nothing else. Is there anything
special I need to do to implement this in a Terminal Server
enviornment? My plan is, and correct me if it's wrong (which is why
I'm posting here) to open gpedit on the Terminal Server, and go from
there. I want to know how to assign the rights to this specific group.


Thanks
Click to expand...
Click to expand...
 
Back
Top