TS & GPO for Large Companies

[Guest]

Our environment consists of some +2500 Servers, +60000 Workstations in +200 Sites in 4 child domains spread across the globe. Slowly we are seeing an increase in the use of Terminal Servers. In certain Sites we have approx. 20 TSs. Ineach Site there is a separate OU (TS-OU) just for Terminal Servers which has a GPO in place which places settings mainly on the Computer Configuration. Some settings exist for the User configuration, e.g. no CMD prompt, no Registry Tools, hide Shtudown Computer, etc. We use Loopback to implement this (users are not in the same OU as servers). All TSs are in the same OU, users belong to a different OU. A TS Users group is created and users requiring access to the TSs are placed in this group. The security filter of the TS GPO contians this group an applys the policy

We are facing the problem that not all owners of the TSs want to receive all settings from our GPO. One way around this would be create an additional GPO which either returns specific setting of the TS GPO back to what the owner wants and/or add new setitngs and apply a security filter to it for a specific group of users. Link the GPO at the TS-OU level

This solution works but has its limitations. One, if a User uses several TSs, this means they belong to several TS Users groups. In the end it could be that the user receives a wide range of settings due to the security filters on the TS GPO and addititonal GPOs. Two, the number of Additional GPOs required could grow causing maintenance headaches

Has anyone used a mixture of GPOs and Local group policies? In the GPO, set your required settings for the Computer Configuration and in the Local policy set your required User configuration. This would allow for tailor-made Local policies if owners of a TS wanted to have their own specific settings

Any suggestions or ideas as to how to handle GPOs in a TS environment where you have over 20 TSs with 15 of them having specific applications installed on them which would like to have their own security of the User configuration, would be appreciated

Bil

 

[David Everett [MSFT]]

Hi Bill,

If you implement Local GPO settings they are applied to all users on that
machine. However, if a GPO from Site, Domain or OU(s) contains a setting
that overrides this based upon group ACLing of a policy then the local
setting is over-ridden. The same problem remains if the delegated admin of
the server is a member of that group.

Your best bet is to make a new group and add the TS Admins to that new
group. For the GPO they do not want applied give the TS Admins group and
Explicit Deny for Apply Group Policy. The GPO settings will still be
applied to members of the TS Users group, but because these users are also
members of the new TS Admins group they will not get the policy applied.

--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Our environment consists of some +2500 Servers, +60000 Workstations in

+200 Sites in 4 child domains spread across the globe. Slowly we are seeing
an increase in the use of Terminal Servers. In certain Sites we have approx.
20 TSs. Ineach Site there is a separate OU (TS-OU) just for Terminal Servers
which has a GPO in place which places settings mainly on the Computer
Configuration. Some settings exist for the User configuration, e.g. no CMD
prompt, no Registry Tools, hide Shtudown Computer, etc. We use Loopback to
implement this (users are not in the same OU as servers). All TSs are in the
same OU, users belong to a different OU. A TS Users group is created and
users requiring access to the TSs are placed in this group. The security
filter of the TS GPO contians this group an applys the policy.

We are facing the problem that not all owners of the TSs want to receive

all settings from our GPO. One way around this would be create an additional
GPO which either returns specific setting of the TS GPO back to what the
owner wants and/or add new setitngs and apply a security filter to it for a
specific group of users. Link the GPO at the TS-OU level.

This solution works but has its limitations. One, if a User uses several

TSs, this means they belong to several TS Users groups. In the end it could
be that the user receives a wide range of settings due to the security
filters on the TS GPO and addititonal GPOs. Two, the number of Additional
GPOs required could grow causing maintenance headaches.

Has anyone used a mixture of GPOs and Local group policies? In the GPO,

set your required settings for the Computer Configuration and in the Local
policy set your required User configuration. This would allow for
tailor-made Local policies if owners of a TS wanted to have their own
specific settings.

Any suggestions or ideas as to how to handle GPOs in a TS environment

where you have over 20 TSs with 15 of them having specific applications
installed on them which would like to have their own security of the User
configuration, would be appreciated.