User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » Applying Group Policy to one user on a Term Server Page [1]  
Grandmaster
All American
10829 Posts
user info
edit post

I'm finding it near impossible to get this working. I've linked a loopback policy to a new OU named "Terminal Services" with everything needed to lock the session down enabled.

I either get it enabled on the laptop I'm connecting from (same domain user obv). Both on the TS Server and the laptop, or neither.

So how do I enable a lockdown only on the terminal server (Which unfortunately is also the DC) for one one specific user (or computer if needed). And still deny the GPO for administrators and the other users on teh domain as well as the same user's laptop.

I've followed a bunch of tutorials, namely http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html But none really touch on the specifics of applying the loopback nonsense.

1/19/2009 1:13:41 PM

Shaggy
All American
17820 Posts
user info
edit post

a loopback is going to apply to all machines in any OUs below where it is applied. So put it in its own OU (probably below is current OU) and apply the policy there. All Authed users should have read/apply like normal, but create a group and deny apply to that group. Put users that you dont want getting the policy in the deny group. Everyone else should get it.

gl.

1/19/2009 1:17:17 PM

DeltaBeta
All American
9417 Posts
user info
edit post

^ What he said.

1/19/2009 1:57:40 PM

evan
All American
27701 Posts
user info
edit post

shaggy pretty much covered it

there are quite a few active directory ninjas on here, i see

1/19/2009 2:23:42 PM

ScHpEnXeL
Suspended
32613 Posts
user info
edit post

Quote :
"ACTIVE

DIRECTORY

NINJA"

1/19/2009 2:56:44 PM

evan
All American
27701 Posts
user info
edit post

that's what my boss called me the other day so i've taken to using the term to describe others as well

1/19/2009 3:09:40 PM

Stimwalt
All American
15292 Posts
user info
edit post

Contract IT Guy: When I login as Administrator through the TS everything works fine, but when I login under this username, I'm getting strange error messages when loading the application.

Me: Permissions.

Contract IT Guy: Huh?

Me: You need to give that user more permissions. Administrator works because it has the required permissions

Contract IT Guy: How do I do that?

Me: God damnit.

1/19/2009 3:21:53 PM

Grandmaster
All American
10829 Posts
user info
edit post

The problem is actually my inability to link and apply the GPO correctly. I have the Loopback GPO set exactly how I want it. I have the desired user added to the Security Filtering and the GPO linked to an OU named Terminal Services under the top level . The computer she's connecting from is added under the OU in AD ( I know this is wrong).

and every change I make/test I do gpupdate /force

Also, is there a Local Administrator group? Where, when signed into the domain they still can have complete administrator rights over their local PC but nothing else? I could only add the user to what appears to be a domain admin group. If instead of the domain I try to put the name of the local PC 1)I can't log in with the local admin account and 2) I can't add the user with my domain admin acct using the local PC name.

I need a book.

[Edited on January 19, 2009 at 3:50 PM. Reason : .]

1/19/2009 3:47:48 PM

kiljadn
All American
44690 Posts
user info
edit post

^ uh, yeah.

You do.



When you join a computer to the domain, the domain admin should be added to the local admin group by default.

1/19/2009 4:00:12 PM

Grandmaster
All American
10829 Posts
user info
edit post

I wanted the user to be a local admin but not admin anywhere else. Looks like I was confused and that's how I had it setup in the first place.

1/19/2009 6:04:32 PM

evan
All American
27701 Posts
user info
edit post

yeah, when you join a computer to the domain, the Domain Admins group gets added to the local admin group by default.

you can add individual user accounts to the computer's local admin group as well.

log in to the pc as a domain admin, go to Control Panel > Computer Management > Local Users and Groups, click groups, double-click administrators, click Add, then type the name of the user account in the domain you wish to have local admin rights.

1/19/2009 8:07:02 PM

Grandmaster
All American
10829 Posts
user info
edit post

I was confused because when I added the user to the admin group it had a globe behind it instead of the hard drive looking thing that Administrator had. I thought it was all or nothing and while logged in to TS this user could fuck shit up.

Obviously, I was wrong. I still don't get the GPO mess tho.

1/19/2009 8:43:01 PM

smoothcrim
Universal Magnetic!
18966 Posts
user info
edit post

they have to logout and back in to refresh the group policy.

1/19/2009 9:31:27 PM

ScHpEnXeL
Suspended
32613 Posts
user info
edit post

Quote :
"log in to the pc as a domain admin, go to Control Panel > Computer Management > Local Users and Groups, click groups, double-click administrators, click Add, then type the name of the user account in the domain you wish to have local admin rights."

god dammit.. i was gonna say that earlier and thought there's no way it can be that simple since it's something i do all the time.

ah well

1/19/2009 9:46:29 PM

Grandmaster
All American
10829 Posts
user info
edit post

^^lol

1/19/2009 9:56:55 PM

evan
All American
27701 Posts
user info
edit post

^^^gpupdate /force will take care of all but startup/shutdown scripts

1/20/2009 12:36:59 AM

 Message Boards » Tech Talk » Applying Group Policy to one user on a Term Server Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.