Organisational Units Policies - Terminal Services

[Adamhemo]

Hi All,

I have created an organisational unit in Windows 2000 server to set specific restrictions on my Terminal services users. All works good except for an issue that became a pain !!!

I added my Windows 2000 server that provides Terminal services into the organizational unit I created. The restrictions got applied to all users who login to that server.

I want the Administrator account and couple more (all in the domain Admin group) to have no restrictions at all.

Can I specify exemptions in my OU? am I doing all of this in the right manner? is there a better way to do so for terminal services ??

Any help is appreciated

Adam

 

[mozingod]

Can you make a seperate OU for the Admins, move them into it, and specify you want that OU to block policy inheritence? Or am I not getting what you're asking?

Darrell Mozingo

 

[Breakerfall]

nonononono
don't put the server inside the OU, leave the server alone.
try to work with groups, it's the easiest way.

1-Create a group (members of this group, will be the users to which the GPO will affect)
2-Create your GPO at the domain level, and in the Security tab of the Properties menu for the GPO you have to add the group to the list, and give it the Read & Apply Policy permission.

that should do it


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Adamhemo]

Thanks for both of the quick responses, I guess I can create another OU and assign the Admins to it.

Breakerfall ... what is the risk I am taking by putting the server in OU (just for my information here also, if I create the group as you mentioned, would those restrictions be applied only to the terminal services, or if htey login at a any desktop in the organizations? I need those restrections to be valid only if they are using the terminal server.

Thanks for all the help

 

[Breakerfall]

is the TS server also a DC?
or a spare TS server?



Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Adamhemo]

It is a member Server not a DC. It is the Only Terminal Server I have in our environment. I got about 40 users who depend on it only when yhey are on the road, when they are in the building they use their Desktops. In the past when we were running on NT 4.0 TSE I generated all kinds of scripts and policies that were enforced as a local group on the server itself, now it seems like I have lost that option with 2000. Our domain is a mixed mode Win 2000. The NT 4.0 installation failed last week and I decided to move to 2000 since it was a good time to do so.

Basically, I need the following to work:

if a regular user logs in to the terminal server, his/her profile will have the restrictions, if he/she logs in to their desktop then they will have no restrictions

if an Admin logs in to the terminal sefver then no restrections will be applied.

Thanks for all the help

Adam

 

[Breakerfall]

I assumed the TS was a DC. The reason of my concern was that Domain Controllers OU already has a “Default Domain Controllers Policy Group” policy assigned, which affects the security and other settings of your domain controllers.
However, to simplify administration, you would use groups anyway.


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Breakerfall]

In response to your second question:

>> Also, if I create the group as you mentioned, would those restrictions be applied only to the terminal services?

Yes, restrictions will be applied only to the terminal services, since you are setting only TS restrictions on the GPO.



Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Breakerfall]

just curious, what kind of restrictions are you setting up?


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Adamhemo]

Well, you name it and I want to restrict it, nothing out of the normal though, things like, Disabling access to Drives (local and mapped), Internet options, Display options, Search, Run, access to utilities, .... I want these guys only to be able to access their home folder located on a different server and couple of applications that we developed in house. Do not need them to install anything else or to run applications that are liciensed to other users.

In your reply above, you said 'since you are setting only TS restrictions on the GPO' I know this may sound ignorent on my side but where do I tell it that I am setting them for TS ? or is that a default for OU !!!

Thanks again

Adam

 

[Breakerfall]

Adamhemo
I was re-reading fresh your original post,
and I just thought of something,

you asked about some sort of excemptions for the OU, right? well, the closest thing to an excemption is a Deny checked box for the "Apply Group Policy" for the users and/or groups that you do not wat the GPO applied. You said:

>>Administrator account and couple more (all in the domain Admin group)<<

That's even better. You have to:
-Deny the &quot;Apply Group Policy&quot; permission for the &quot;Domain Admins&quot; group.
-Leave the &quot;Apply Group Policy&quot; permission enabled for the &quot;Authenticated Users&quot; group

Since denied permissions take precedence over granted permissions, people inside the &quot;Domain Admins&quot; group WILL NOT ge the GPO applied, however, remote users WILL get the GPO applied, since they are part of the &quot;Authenticated Users&quot; group.

don't know why I didn't think about that before =P

PD: do it at the OU level, where your TServer is.

keep us posted.
thanks.


Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®