Group Policy for Terminal Server

[rspatafore]

We are implementing Terminal Services here at work. I have messed with
TermServ int h past, but have never deployed it. I am trying to deploy
a locked down desktop via group policy. I have the policy developed, or
at least close to it, but I am not trying to figure out how to deploy
it. I want to apply it to all of our users only when they log in
through our term servers. I tried to apply the group policy to our
terminal servers organizational unit (domain -->servers -->terminal
servers) but I could not get it to apply to any users. I have the
permissions set to allow authenticated users to apply the policy. I am
going to assume that because the users are not local to this
organizational unit that the policy will not apply to them. SO what is
the best way to implement this to all of my users, but only when they
log into out terminal servers?

Thanks,

Rick

 

[Kurt]

That is a really good question and I hope someone has a better answer than
me. But The way I have handled it (with just a few TS users) is to make
separate accounts for TS logins. These accounts have permissions to all the
same resources as the regular login and access the same "My Documents", etc.
The obvious diffrences are lack of being able to shut down the computer, no
access to control panel, my computer context menu, etc - all of the things
I'm sure you've thought of. It actually works better this way because TS
sessions do things like change the desktop around if connecting from a lower
resolution terminal in full-screen mode.

...kurt

 

[rspatafore]

I am going to have around 2,000 users once this is complete. Duplicate
users is not an option. I did find an article on TechNet about Terminal
Services and group policies: 260370 & 231287. I am lookign at the
loopback piece of this now, but I do not understand what group policy
is applied to the users once loopback is enabled.


Rick

 

[Florian Frommherz]

Howdy Rick!

We are implementing Terminal Services here at work. I have messed with
TermServ int h past, but have never deployed it. I am trying to deploy
a locked down desktop via group policy. I have the policy developed, or
at least close to it, but I am not trying to figure out how to deploy
it. I want to apply it to all of our users only when they log in
through our term servers. I tried to apply the group policy to our
terminal servers organizational unit (domain -->servers -->terminal
servers) but I could not get it to apply to any users. I have the
permissions set to allow authenticated users to apply the policy. I am
going to assume that because the users are not local to this
organizational unit that the policy will not apply to them. SO what is
the best way to implement this to all of my users, but only when they
log into out terminal servers?

What you search for is "Loopback Processing Mode". It's a special
processing mode for group policies at which a computer will proceed both
computer AND user configuration of a policy and merges (or overwrites -
that would match your case quite perfectly ;-) the user's configuration
of other policies.

Have a look at this:
http://support.microsoft.com/?id=231287
http://technet2.microsoft.com/Windo...975f-4b2f-b771-9e6a903e97db1033.mspx?mfr=true

cheers,

Florian

 

[Florian Frommherz]

Howdy Rick!

I am going to have around 2,000 users once this is complete. Duplicate
users is not an option. I did find an article on TechNet about Terminal
Services and group policies: 260370 & 231287. I am lookign at the
loopback piece of this now, but I do not understand what group policy
is applied to the users once loopback is enabled.

Sorry, I didn't see you already have found "loopback".

Well, you go and activate "loopback" on the Terminal Server's OU and set
it to "replace". This will _replace_ all configuration settings users
will normally be receiving when they log into a "normal" workstation.
Instead of processing the user's configuration, the Terminal Servers
will now "load" the user portions of the group policies you applied to
them ( - remember: they wouldn't apply the user config portion if
loopback wasn't enabled!). Like this, you can asure that _every_ user,
no matter to which OU he or she belongs to, receives the same
(restrictive) settings on the Terminal Servers.

I hope I could make it a little clearer. If not, feel free to post again!

cheers,

Florian

 

[rspatafore]

Thanks Florian. Loopback is exactly where my research has led me. For
some reason though when I run gpresult I do not see that my Terminal
Services GPO is running. I kept getting a permission error for this.
Ends up that I did not apply the policy to each server. I was thinking
that since teh servers were a part of the organizational unit they
would have the policy applied automatically....but I guess not.


Rick

 

[Florian Frommherz]

Howdy Rick!

Thanks Florian. Loopback is exactly where my research has led me. For
some reason though when I run gpresult I do not see that my Terminal
Services GPO is running. I kept getting a permission error for this.
Ends up that I did not apply the policy to each server. I was thinking
that since teh servers were a part of the organizational unit they
would have the policy applied automatically....but I guess not.

So you linked your Loopback-Policy to the OU where the Terminal Servers
reside in? You know, that you have to wait 90 minutes (plus a random
time of max 30 minutes) until the computers query the domain controllers
for new policies? Did you wait that time or ran "gpupdate /force" on the
servers to force the servers to query immediately for new policies?

cheers,

Florian