P
Peter
We have a remote office where the users connect using Remote Access
connections to a Windows 2003 Server running Terminal Services in the head
office.
We have a fairly simple policy at the domain level which prevents remote
clients from accessing local disks on the Terminal Server, disables Shutdown
button, some folder redirection for desktop etc.
In the security properties of the policy at the domain level the 'apply
group policy' is set to 'Allow' for a Global Group with the members being
the remote clients.
All the users in the remote office need to use a terminal connection for
certain functions but a handful of workstations also need a full workstation
installation to allow running of some specific local applications plus
connection of scanners, digital cameras etc.
These workstations are about to be upgraded to Windows XP. They will need to
have full access to local disks and shutdown button etc but in my testing I
have been unable to prevent the domain level policy from being applied to
the XP computers. I have created an OU and moved the XP computers into it
and have created a Global group with the XP Computers as members. I have
set up a policy in the OU to be applied to the XP Computers global group. I
have also tried adding the XP Computers Global group to the domain level
policy with deny permissions. I have tried using the 'loopback' option in
the OU's policy all without success.
When I test with resultant set of policies (Planning) both policies are
still being applied.
Essentially what I want to be able to do is have policies in place where a
user can log on to a Windows XP workstation without the domain level policy
being applied but the user can still connect from the same XP computer as a
terminal client and have the domain level policy on the terminal server
apply.
Many Thanks
Peter Moore
connections to a Windows 2003 Server running Terminal Services in the head
office.
We have a fairly simple policy at the domain level which prevents remote
clients from accessing local disks on the Terminal Server, disables Shutdown
button, some folder redirection for desktop etc.
In the security properties of the policy at the domain level the 'apply
group policy' is set to 'Allow' for a Global Group with the members being
the remote clients.
All the users in the remote office need to use a terminal connection for
certain functions but a handful of workstations also need a full workstation
installation to allow running of some specific local applications plus
connection of scanners, digital cameras etc.
These workstations are about to be upgraded to Windows XP. They will need to
have full access to local disks and shutdown button etc but in my testing I
have been unable to prevent the domain level policy from being applied to
the XP computers. I have created an OU and moved the XP computers into it
and have created a Global group with the XP Computers as members. I have
set up a policy in the OU to be applied to the XP Computers global group. I
have also tried adding the XP Computers Global group to the domain level
policy with deny permissions. I have tried using the 'loopback' option in
the OU's policy all without success.
When I test with resultant set of policies (Planning) both policies are
still being applied.
Essentially what I want to be able to do is have policies in place where a
user can log on to a Windows XP workstation without the domain level policy
being applied but the user can still connect from the same XP computer as a
terminal client and have the domain level policy on the terminal server
apply.
Many Thanks
Peter Moore