[gptalk] Re: Lockdown Policy on Terminal Server

  • From: "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Sat, 24 Jan 2009 17:01:32 +1100

A far better approach here, in my opinion, is to create three
policies...

 

1)      Terminal Server Policy - will only contain the "Machine"
settings, including enabling Loopback processing, and left applied to
Authenticated Users. Don't put user settings in this policy.

2)      Terminal Server User Policy - will only contain "User" settings,
and also left applied to Authenticated Users. Don't put machine settings
in this policy.

3)      Terminal Server Admin Policy - will only contain "User"
settings, and simply "reverses" out some of the lockdowns applied by the
"Terminal Server User Policy". The Authenticated Users group should be
removed, and then add the required Admins group. Don't put machine
settings in this policy.

 

Set the priority order to apply as listed, and all will work as
required.

 

Cheers,

Jeremy.

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Saturday, January 24, 2009 5:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Lockdown Policy on Terminal Server

 

Hi Bill,

 

It should work the way you are suggesting, however I am guessing that
you are using loop back processing and that this is being set in the
same policy. If you remove Authenticated Users from the policy then the
machine setting to enable loop back policy will also be removed.

 

Your first suggestion of putting "deny" on the policy for ADMINS should
work....  assuming you are talking about the policy that contains the
actual user settings rather than the loopback enable setting.

 

Hope this helps. 

 

 

Alan Cuthbertson

 

 

 Policy Management Software (Now with ADMX and Preference support):-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor(Now with ADMX support):-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter - including Preference logging(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of McDonald, William
Sent: Saturday, 24 January 2009 5:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Lockdown Policy on Terminal Server

 

 

A TS policy only works for me if it is applied to the Authenticated

Users group, but this applies the policy to all users, including

administrators, even if I have admins set to deny applying policy. If I

apply the group policy to another group, TS_App_Users, and remove

Authenticated users or even just uncheck Apply Policy under

Authenticated Users, then it won't get applied at all. How is this

supposed to work? 

 

 

 

Regards, 

Bill McDonald

Systems Administrator II      Ebara Technologies, Inc. 

51 Main Avenue 

Sacramento, CA 95838 

Direct: (916) 561-4865 

Fax: (916) 920-5066 

 

wmcdonald@xxxxxxxxxxxxx       

 

***********************

You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/

************************


#####################################################################################
Confidentiality and Privilege Notice 
This document is intended solely for the named addressee.  The information 
contained in the pages is confidential and contains legally privileged 
information. If you are not the addressee indicated in this message (or 
responsible for delivery of the message to such person), you may not copy or 
deliver this message to anyone, and you should destroy this message and kindly 
notify the sender by reply email. Confidentiality and legal privilege are not 
waived or lost by reason of mistaken delivery to you.
#####################################################################################

Other related posts: