Assiging Group Policy to 1 GROPUP

[Guest]

Im trying to install a group policy (or use poledit) to lock down settings
for users using Terminal Server within Windows 2000. When i modify the policy
it applies to the Administrators group which i do not want it to do.

I have Win2000 Server in a domain non-active directory. Im trying to assign
this policy to users from the doman that will be accessing the Terminal
Server on this system.

Thnaks in advance.

 

[Bruce Sanderson]

I'm a bit confused; Group Policies, by definition require an Active
Directory (Windows 2000 or 2003) domain. So what does "a domain non-active
directory" mean?

See if any of these articles helps:
http://support.microsoft.com/kb/192794/ - about policies for TS in NT 4
domain
http://support.microsoft.com/?kbid=260370 - about Group Policies for TS in
AD domain (see in particular "Method 2")

 

[Guest]

This is a server in a domain config but its not in a active directory model.
Basicly what im trying to do is assign users from the domain to a group on
this server and lock that 1 group down (disable run, shutdown etc) when they
user Terminal Services.

Is this possible ?

 

[lforbes]

This is a server in a domain config but its not in a active directory

model.

Hi,

You can’t have a "Domain config" without Active Directory installed
unless
You are running NT 4 and the server you refer to is just a Windows
2000 Member Server in the domain (like a workstation). In the case of
NT 4.0 domain you would need to use poledit.

If you are running a Windows 2000 Domain then you have an Active
Directory Model because AD is the essence of the Domain. In this case
you can use Group Policies and put the Domain Users in an OU and apply
the Group Policy to it. (GP’s don’t apply to groups)

Cheers,

Lara

 

[Guest]

ok thats where i was confused... so when using GPO i set the policy i want to
excude the Administrators group from inheriting the policy. does anyone know
how to do this ?

 

[pscyime]

Hi

put the users you want it to apply to in an OU and link the gpo there or put them in a group and use the security filtering to apply it to that group

Voila!

Si

 

[Guest]

does this apply to Local Computer Policy as well ?

 

[lforbes]

ok thats where i was confused... so when using GPO i set the policy i

want to excude the Administrators group from inheriting the policy.
does anyone know how to do this ?

Hi,

You just create an OU and put the users in that OU. Create a GPO on
that OU and make the settings. The Settings will only apply to the
users in that OU. I have 2400 Users in two domains. I have never
needed to set security on my GPO’s because I just organize via OU. I
just have an Upper level OU for Administrators and it doesn’t have
any GPO’s on it. I don’t set any "restrictive" settings at all in
the Default Domain Policy. I use custom GPO’s instead.

Why do you want to set any Local Computer settings? They get
overridden by the domain anyway. Computer settings are usually not
the ones that are restrictive. Ususally it is the User Configuration
settings where all the lockdown is done.

My users are pretty much locked down as tight as possible with NTFS
and Group Policies.

What specific settings are you looking at? Maybe if you post them I
can be more specific.

Cheers,

Lara

 

[Bruce Sanderson]

If you want different User Configuration settings to apply when users log on
to a Terminal Server as opposed to a workstation, use Loopback processing
and put the settings into the User Configuration part of a GPO that is
applied to the OU containing the Terminal Server computer accounts - see
http://support.microsoft.com/?kbid=260370 for information about Loopback
processing. The local Administrators group on the Terminal Server can not
be used to control what users get or don't get the GPO settings; you need to
have a Domain Group that has all of the "Terminal Servers administrators"
domain user accounts in it - the existing Domain Admins might do for this,
but you probably want to have a Domain group that specifically contains the
user accounts you want to be "administrators" on the Terminal Server. Add
this domain group to the local Administrators group rather than individual
domain user accounts. Then, deny this Domain group the Apply GPO
permission:

1. open GPMC
2. click on the GPO that has user settings you don't want administrators to
have
3. select the Delegation tab in the right pane
4. click Advanced... (bottom right of GPMC's right pane)
5. if the group containing the Terminal Server's administrator user accounts
is not present in the list, click Add and add it
6. select the Terminal Servers administrators group
7. remove the check mark from Allow column on the Apply Group Policy row
8. add a check mark to the Deny column on the Apply Group Policy row
9. click OK

If you want exactly the same settings to apply to users whether they log on
to a Terminal Server, a workstation or some other server, then do as lforbes
suggests and segregate the administrator user accounts into a different OU
that does not have the GPO with the User Configuration settings applied.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.