disable shutdown for specific group in Temrinal Services

  • Thread starter Thread starter Steve Jacobs
  • Start date Start date
S

Steve Jacobs

I have a Win2k3 domain with 2 DCs, running AD. The Term Svr is one of the 2
DCs. When I promoted it to be the second DC, a window appeared to explain
to me that this would remove all local accounts, and consequently disable
Terminal Services functionality. If I wanted to continue using Terminal
Services, I'd have to configure Group Policy to allow it.

SO, I ventured into the big, intimidating world of Group Policy. I've
currently got a policy called Terminal Services Permissions. I created an
OU called Terminal Services, and placed 3 domain users in a Global Security
Group called Terminal Services Users, which I placed in the Terminal
Services OU. Two of those 3 users are domain admins. The third user, named
ptest (policy test), is a domain user, and a member of no other groups.

The policy has set:
'User Config / Admin Templates / Start Menu / Remove and Prevent Access to
the Shutdown Command' enabled.

I've applied the policy to the Terminal Services Users OU. In the
properties of the Terminal Services Permissions policy, I changed the
permissions on Domain Admins to DENY for 'Apply Group Policy'.

NOW, here's the problem I have:

The policy does not seem to take effect on anybody at all. It doesn't
affect users in the Term Srvcs Users group, whether or not they are also in
the admin group.

BUT IF I also link the policy to the entire domain, than it works. WHY does
the policy need to be linked to the entire domain? AND, if this is in fact
the right way to do this, can I eliminate the Terminal Services OU and
group I've created?

Thanks,
Steve
 
Hello Steve.

The user or computer needs to be located within the OU. In your case, there
was simply a group located in the OU--policies are not applied to group
objects.

You have the choice to either move the user(s) to the OU which the policy is
linked to, or configure loopback processing and move the Terminal Server's
computer account to the OU:
260370 How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?id=260370

220822 Group Policy Objects Applied to Organizational Units Containing Only
http://support.microsoft.com/?id=220822

816100 HOW TO: Prevent Domain Group Policies from Applying to Administrator
http://support.microsoft.com/?id=816100

David Fisher
Enterprise Platform Support
 
Back
Top