S
Steve Jacobs
I have a Win2k3 domain with 2 DCs, running AD. The Term Svr is one of the 2
DCs. When I promoted it to be the second DC, a window appeared to explain
to me that this would remove all local accounts, and consequently disable
Terminal Services functionality. If I wanted to continue using Terminal
Services, I'd have to configure Group Policy to allow it.
SO, I ventured into the big, intimidating world of Group Policy. I've
currently got a policy called Terminal Services Permissions. I created an
OU called Terminal Services, and placed 3 domain users in a Global Security
Group called Terminal Services Users, which I placed in the Terminal
Services OU. Two of those 3 users are domain admins. The third user, named
ptest (policy test), is a domain user, and a member of no other groups.
The policy has set:
'User Config / Admin Templates / Start Menu / Remove and Prevent Access to
the Shutdown Command' enabled.
I've applied the policy to the Terminal Services Users OU. In the
properties of the Terminal Services Permissions policy, I changed the
permissions on Domain Admins to DENY for 'Apply Group Policy'.
NOW, here's the problem I have:
The policy does not seem to take effect on anybody at all. It doesn't
affect users in the Term Srvcs Users group, whether or not they are also in
the admin group.
BUT IF I also link the policy to the entire domain, than it works. WHY does
the policy need to be linked to the entire domain? AND, if this is in fact
the right way to do this, can I eliminate the Terminal Services OU and
group I've created?
Thanks,
Steve
DCs. When I promoted it to be the second DC, a window appeared to explain
to me that this would remove all local accounts, and consequently disable
Terminal Services functionality. If I wanted to continue using Terminal
Services, I'd have to configure Group Policy to allow it.
SO, I ventured into the big, intimidating world of Group Policy. I've
currently got a policy called Terminal Services Permissions. I created an
OU called Terminal Services, and placed 3 domain users in a Global Security
Group called Terminal Services Users, which I placed in the Terminal
Services OU. Two of those 3 users are domain admins. The third user, named
ptest (policy test), is a domain user, and a member of no other groups.
The policy has set:
'User Config / Admin Templates / Start Menu / Remove and Prevent Access to
the Shutdown Command' enabled.
I've applied the policy to the Terminal Services Users OU. In the
properties of the Terminal Services Permissions policy, I changed the
permissions on Domain Admins to DENY for 'Apply Group Policy'.
NOW, here's the problem I have:
The policy does not seem to take effect on anybody at all. It doesn't
affect users in the Term Srvcs Users group, whether or not they are also in
the admin group.
BUT IF I also link the policy to the entire domain, than it works. WHY does
the policy need to be linked to the entire domain? AND, if this is in fact
the right way to do this, can I eliminate the Terminal Services OU and
group I've created?
Thanks,
Steve