make domain GP not apply to local computer?

  • Thread starter Thread starter Leythos
  • Start date Start date
L

Leythos

I would like to block a domain GP from applying to the local computer -
I have a user that uses T/S for all the needs, except that they also
take a laptop with them - I don't want the GP to apply when they are
using their laptop - any ideas?
 
Leythos said:
I would like to block a domain GP from applying to the local
computer - I have a user that uses T/S for all the needs, except
that they also take a laptop with them - I don't want the GP to
apply when they are using their laptop - any ideas?
Click to expand...

Don't want the group policies applying to what? The laptop?
If so - don't join the laptop to the domain.
If to the machine they are remoting into - the GPs are already applied to
it..
 
Don't want the group policies applying to what? The laptop?
If so - don't join the laptop to the domain.
If to the machine they are remoting into - the GPs are already applied to
it..
Click to expand...

Let me explain it better:

User has a laptop that is part of the domain, they will connect to the
network three ways:

1) Cabled to the domain, using resources via their laptop as though it
was a workstation in the network.

2) VPN into the domain from a remote location/hotel, accessing resources
like it was connected to the network directly in the office - slow, but
gives full access to all office/network resources.

3) Local or Remote connection to Terminal Server using Remote Desktop.

The problem, and I'm not the one that set this up, is that if the admin
sets up the GP so that users accessing the T/S server can't shut it
down, then they can't shutdown their local laptops.

I've not had time to connect and look at their GPO settings, so I
thought I would ask here so that I could get a head start for Monday.
 
It sounds like the specific setting you talk about is a user right for shut
down the system which is "computer" configuration Group Policy. Group Policy
can be configured so that only authorized users can shut down the TS and
then a different GP can be set for the laptop computers to allow users to
shut down the system. It is usually best to have a TS in a different
Organizational Unit that other domain computers so that it can have it's own
Group Policy linked to the OU and configured as needed for the TS.

For TS often "loopback processing" of Group Policy is used for "user"
configuration in which case the user configuration settings applied to the
GPO for the TS are applied to users logging onto the TS instead of their
normal Group Policy user configuration settings in a merge or replace mode.
The links below explains more on that if that would be helpful and running
rsop.msc on an XP Pro computer or using the Resultant Set of Policy mmc
snapin on Windows 2003 domain controller can show the current Group Policy
settings and what Group Policy is applying them. When running RSOP on a
domain controller in "planning" mode instead of logging mode you can see
what Group Policy settings will apply to a user/computer when loopback
processing is implemented or other scenarios. --- Steve

http://technet2.microsoft.com/WindowsServer/en/Library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287&sd=tech ---
applies to Windows 2003 also
 
n9rou@n0-spam-for-me- said:
It sounds like the specific setting you talk about is a user right for shut
down the system which is "computer" configuration Group Policy. Group Policy
can be configured so that only authorized users can shut down the TS and
then a different GP can be set for the laptop computers to allow users to
shut down the system. It is usually best to have a TS in a different
Organizational Unit that other domain computers so that it can have it's own
Group Policy linked to the OU and configured as needed for the TS.

For TS often "loopback processing" of Group Policy is used for "user"
configuration in which case the user configuration settings applied to the
GPO for the TS are applied to users logging onto the TS instead of their
normal Group Policy user configuration settings in a merge or replace mode.
The links below explains more on that if that would be helpful and running
rsop.msc on an XP Pro computer or using the Resultant Set of Policy mmc
snapin on Windows 2003 domain controller can show the current Group Policy
settings and what Group Policy is applying them. When running RSOP on a
domain controller in "planning" mode instead of logging mode you can see
what Group Policy settings will apply to a user/computer when loopback
processing is implemented or other scenarios. --- Steve
Click to expand...

I thought the same thing - I was sure I've setup T/S so that the GP for
T/S users doesn't impact their local system. I've just not had time to
see how they have it actually configured on their network. On Monday
I'll have time to connect in an check it.

Thanks Steve.
 
Cool. Glad to help you jog your memory on what to do. Have fun on
nday. --- Steve
 
Back
Top