Group Policy on OU object does not apply 1

[zoldy]

As per a microsoft article here is what I am tring to do... apply a policy to a user only if they are logging into the terminal server....

Intructed to create a new OU... move the server object into this OU... Creat a group policy on this OU...

The only way the policy seems to apply is if the user is moved to that OU as well. Otherwise it does not...

the problem with this of course is I don't want it to apply all the time...

Anyone else experience this ... or recommend a different setup

thanks

 

[mawilson]

If you are applying user settings in the GPO, the user will have to be in the ou. If you are applying computer settings, they should apply to all users that log onto that server.

Mark

 

[zoldy]

that's correct... but they don't... I can't figure out why... do I need to refresh or something like that?

 

[zoldy]

sorry re-read your response ... and now i understand... so I guess the question is how do I apply a user policy only when logged onto the terminal server?

thanks

 

[mawilson]

You can try a local GPO on the server. It should give you the ability to apply settings to the users that log on. Anything you have in the OU GPO will override the local GPO though.

Mark

 

[zoldy]

yes thank you... i thought of that .... the only issue with that is it applies to everyone...

I will keep searching....

I tried apply the policy to the built in group TERMINAL SERVER USERS... but that does not seem to work..

thanks again for the info

 

[zoldy]

I have now spent the day reading countless articles claiming that if you create an OU and define a group policy and place the terminal server object inside the OU... everyone logging onto that server will have the policy applied..

article number 278295

But it simply does not work...

The very first section talks about a policy called.

User Group Policy loopback processing mode

This policy is suppose to allow me to do exactly what i am trying to do.

does anyone else out there have this situation that can help

thanks

 

[r0nin182]

User Group Policy loopback processing mode" << That is exactly what you need to do.
Make sure that the Loopback policy is 1st in order on your GPO Links list. The reason you have to use loopback is because your GPO is making changes to the "User" settings rather than the "Computer" settings. To create the loopback policy, I believe there is only one setting to enable: Computer Configuration > Administrative Templates > System > Group Policy.
Enable the User Group Policy loopback processing mode.
Hope this helps.

r0nin182

 

[TheMac28nearly]

Did anyone have any luck with this, ive just tried it and had no joy

Ive tried it with both user and computer acc's in the ou, and also each one individually. There are no other gpo's at this stage either as we are still at build stage

I want to apply this so my Local win xp users can have normal access to their local machines when logging onto the domain, but when they logon to a citrix server, the gpo is applied

Andy

 

[xmsre]

If you apply to a group, it won't work right because membership is a linked attribute. Have you tried applying the policy to all users, then filtering for Terminal server users via permissions on the GPO?

 

[TheMac28nearly]

That would work, but the problem is its the same user that needs it to work, i.e. 1 user logs onto citrix, has no system drives, control panel etc. He then logs onto his local XP machine, then he has full user access to his local machine

 

[xmsre]

I see. Put the terminal server machine accounts in a group, then filter via permission so that the policy only applies to the terminal servers.

 

[TheMac28nearly]

Sounds valid, but it didnt work. I ended up applying full control to the citrix server as well with no joy

 

[xmsre]

If you apply permissions to an active account, they will not take affect until you log out and back in. For a machince account, I'd say it would require a reboot to take effect.

 

[TheMac28nearly]

Your right, the reboot worked !!

I suppose all i need to do now is ensure the policy is not appplied to admins. Domain admins and enterprise admins have apply gpo unchecked by default with authenticated users apply gpo checked. Is it ok to leave as default or should i remove auth users and replace with the specific user group

Thanks a lot so far

Andy

 

[xmsre]

You can use an explicit deny on the GPO to exclude the admins.

 

[TheMac28nearly]

Just for reference, i actually acheived excluding the admins by taking out the authenticated users, and then just adding the relevant users/group. Have tested it woth various logons and it works fine

Thanks again

Andy

 

[deejflash]

I am in the process of implementing a new security policy. In order to test the effects of the changes I created a test OU with test users and machines.

I changed the password policy, however, the policy did not occur on the test machines. When I did a "gpresult" I notice that the Local Group Policy was taking effect over the Domain Group Policy. How do I make it so that the Domain G.P. overrides the local G.P.?

Here's the gpresult output...

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, July 27, 2005 at 3:08:23 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:

CN=security2,OU=Test OU,DC=MintelChicago,DC=usdmm,DC=com

Domain Name: MINTELCHICAGO
Domain Type: Windows 2000
Site Name: Chicago

Roaming profile: (None)
Local profile: C:\Documents and Settings\security2

The user is a member of the following security groups:

MINTELCHICAGO\Domain Users
\Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL


###############################################################

Last time Group Policy was applied: Wednesday, July 27, 2005 at 3:07:42 PM
Group Policy was applied from: cougar.MintelChicago.usdmm.com


===============================================================


The user received "Registry" settings from these GPOs:

Default Domain Policy



###############################################################

Computer Group Policy results for:

CN=MINTEL-ZWNRDNC7,OU=Test OU,DC=MintelChicago,DC=usdmm,DC=com

Domain Name: MINTELCHICAGO
Domain Type: Windows 2000
Site Name: Chicago


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
MINTELCHICAGO\MINTEL-ZWNRDNC7$
MINTELCHICAGO\Domain Computers

###############################################################

Last time Group Policy was applied: Wednesday, July 27, 2005 at 2:58:31 PM
Group Policy was applied from: cougar.MintelChicago.usdmm.com


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy
Windows Updates


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy
Password policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy

 

[deejflash]

Sorry, didn't mean to put my post here.