I'm finding it near impossible to get this working. I've linked a loopback policy to a new OU named "Terminal Services" with everything needed to lock the session down enabled.

I either get it enabled on the laptop I'm connecting from (same domain user obv). Both on the TS Server and the laptop, or neither.

So how do I enable a lockdown only on the terminal server (Which unfortunately is also the DC) for one one specific user (or computer if needed). And still deny the GPO for administrators and the other users on teh domain as well as the same user's laptop.

I've followed a bunch of tutorials, namely http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html But none really touch on the specifics of applying the loopback nonsense.

1/19/2009 1:13:41 PM

a loopback is going to apply to all machines in any OUs below where it is applied. So put it in its own OU (probably below is current OU) and apply the policy there. All Authed users should have read/apply like normal, but create a group and deny apply to that group. Put users that you dont want getting the policy in the deny group. Everyone else should get it.

gl.

1/19/2009 1:17:17 PM

^ What he said.

1/19/2009 1:57:40 PM

shaggy pretty much covered it

there are quite a few active directory ninjas on here, i see

1/19/2009 2:23:42 PM

Quote :

"ACTIVE DIRECTORY NINJA"

1/19/2009 2:56:44 PM

that's what my boss called me the other day so i've taken to using the term to describe others as well

1/19/2009 3:09:40 PM

Contract IT Guy: When I login as Administrator through the TS everything works fine, but when I login under this username, I'm getting strange error messages when loading the application.

Me: Permissions.

Contract IT Guy: Huh?

Me: You need to give that user more permissions. Administrator works because it has the required permissions

Contract IT Guy: How do I do that?

Me: God damnit.

1/19/2009 3:21:53 PM

The problem is actually my inability to link and apply the GPO correctly. I have the Loopback GPO set exactly how I want it. I have the desired user added to the Security Filtering and the GPO linked to an OU named Terminal Services under the top level . The computer she's connecting from is added under the OU in AD ( I know this is wrong).

and every change I make/test I do gpupdate /force

Also, is there a Local Administrator group? Where, when signed into the domain they still can have complete administrator rights over their local PC but nothing else? I could only add the user to what appears to be a domain admin group. If instead of the domain I try to put the name of the local PC 1)I can't log in with the local admin account and 2) I can't add the user with my domain admin acct using the local PC name.

I need a book.

[Edited on January 19, 2009 at 3:50 PM. Reason : .]

1/19/2009 3:47:48 PM

^ uh, yeah.

You do.



When you join a computer to the domain, the domain admin should be added to the local admin group by default.

1/19/2009 4:00:12 PM

I wanted the user to be a local admin but not admin anywhere else. Looks like I was confused and that's how I had it setup in the first place.

1/19/2009 6:04:32 PM

yeah, when you join a computer to the domain, the Domain Admins group gets added to the local admin group by default.

you can add individual user accounts to the computer's local admin group as well.

log in to the pc as a domain admin, go to Control Panel > Computer Management > Local Users and Groups, click groups, double-click administrators, click Add, then type the name of the user account in the domain you wish to have local admin rights.

1/19/2009 8:07:02 PM

I was confused because when I added the user to the admin group it had a globe behind it instead of the hard drive looking thing that Administrator had. I thought it was all or nothing and while logged in to TS this user could fuck shit up.

Obviously, I was wrong. I still don't get the GPO mess tho.

1/19/2009 8:43:01 PM

they have to logout and back in to refresh the group policy.

1/19/2009 9:31:27 PM

Quote :

"log in to the pc as a domain admin, go to Control Panel > Computer Management > Local Users and Groups, click groups, double-click administrators, click Add, then type the name of the user account in the domain you wish to have local admin rights."

god dammit.. i was gonna say that earlier and thought there's no way it can be that simple since it's something i do all the time.

ah well

1/19/2009 9:46:29 PM

^^lol

1/19/2009 9:56:55 PM

^^^gpupdate /force will take care of all but startup/shutdown scripts

1/20/2009 12:36:59 AM