make domain GP not apply to local computer?

L

Leythos

I would like to block a domain GP from applying to the local computer -
I have a user that uses T/S for all the needs, except that they also
take a laptop with them - I don't want the GP to apply when they are
using their laptop - any ideas?
 
S

Shenan Stanley

Leythos said:
I would like to block a domain GP from applying to the local
computer - I have a user that uses T/S for all the needs, except
that they also take a laptop with them - I don't want the GP to
apply when they are using their laptop - any ideas?
Click to expand...

Don't want the group policies applying to what? The laptop?
If so - don't join the laptop to the domain.
If to the machine they are remoting into - the GPs are already applied to
it..
 
L

Leythos

Don't want the group policies applying to what? The laptop?
If so - don't join the laptop to the domain.
If to the machine they are remoting into - the GPs are already applied to
it..
Click to expand...

Let me explain it better:

User has a laptop that is part of the domain, they will connect to the
network three ways:

1) Cabled to the domain, using resources via their laptop as though it
was a workstation in the network.

2) VPN into the domain from a remote location/hotel, accessing resources
like it was connected to the network directly in the office - slow, but
gives full access to all office/network resources.

3) Local or Remote connection to Terminal Server using Remote Desktop.

The problem, and I'm not the one that set this up, is that if the admin
sets up the GP so that users accessing the T/S server can't shut it
down, then they can't shutdown their local laptops.

I've not had time to connect and look at their GPO settings, so I
thought I would ask here so that I could get a head start for Monday.
 
S

Steven L Umbach

It sounds like the specific setting you talk about is a user right for shut
down the system which is "computer" configuration Group Policy. Group Policy
can be configured so that only authorized users can shut down the TS and
then a different GP can be set for the laptop computers to allow users to
shut down the system. It is usually best to have a TS in a different
Organizational Unit that other domain computers so that it can have it's own
Group Policy linked to the OU and configured as needed for the TS.

For TS often "loopback processing" of Group Policy is used for "user"
configuration in which case the user configuration settings applied to the
GPO for the TS are applied to users logging onto the TS instead of their
normal Group Policy user configuration settings in a merge or replace mode.
The links below explains more on that if that would be helpful and running
rsop.msc on an XP Pro computer or using the Resultant Set of Policy mmc
snapin on Windows 2003 domain controller can show the current Group Policy
settings and what Group Policy is applying them. When running RSOP on a
domain controller in "planning" mode instead of logging mode you can see
what Group Policy settings will apply to a user/computer when loopback
processing is implemented or other scenarios. --- Steve

http://technet2.microsoft.com/WindowsServer/en/Library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287&sd=tech ---
applies to Windows 2003 also
 
L

Leythos

n9rou@n0-spam-for-me- said:
It sounds like the specific setting you talk about is a user right for shut
down the system which is "computer" configuration Group Policy. Group Policy
can be configured so that only authorized users can shut down the TS and
then a different GP can be set for the laptop computers to allow users to
shut down the system. It is usually best to have a TS in a different
Organizational Unit that other domain computers so that it can have it's own
Group Policy linked to the OU and configured as needed for the TS.

For TS often "loopback processing" of Group Policy is used for "user"
configuration in which case the user configuration settings applied to the
GPO for the TS are applied to users logging onto the TS instead of their
normal Group Policy user configuration settings in a merge or replace mode.
The links below explains more on that if that would be helpful and running
rsop.msc on an XP Pro computer or using the Resultant Set of Policy mmc
snapin on Windows 2003 domain controller can show the current Group Policy
settings and what Group Policy is applying them. When running RSOP on a
domain controller in "planning" mode instead of logging mode you can see
what Group Policy settings will apply to a user/computer when loopback
processing is implemented or other scenarios. --- Steve
Click to expand...

I thought the same thing - I was sure I've setup T/S so that the GP for
T/S users doesn't impact their local system. I've just not had time to
see how they have it actually configured on their network. On Monday
I'll have time to connect in an check it.

Thanks Steve.
 
S

Steven L Umbach

Cool. Glad to help you jog your memory on what to do. Have fun on
nday. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Computer: Give local groups GP settings 1
Firewall settings & group policy not working 1
Internet Connection Error 4
GP do not take effect 4
Bypass security banner with a script? 2
Remote Assistance SP2 Group Policy 1
SimpleFileSharing & Security Tab problems - GP only way to fix? 4
admin privs only for desktops. 2

Top