[gptalk] Re: Lockdown Policy on Terminal Server
- From: "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Sat, 24 Jan 2009 17:01:32 +1100
A far better approach here, in my opinion, is to create three
policies...
1) Terminal Server Policy - will only contain the "Machine"
settings, including enabling Loopback processing, and left applied to
Authenticated Users. Don't put user settings in this policy.
2) Terminal Server User Policy - will only contain "User" settings,
and also left applied to Authenticated Users. Don't put machine settings
in this policy.
3) Terminal Server Admin Policy - will only contain "User"
settings, and simply "reverses" out some of the lockdowns applied by the
"Terminal Server User Policy". The Authenticated Users group should be
removed, and then add the required Admins group. Don't put machine
settings in this policy.
Set the priority order to apply as listed, and all will work as
required.
Cheers,
Jeremy.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Alan and Margaret Cuthbertson
Sent: Saturday, January 24, 2009 5:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Lockdown Policy on Terminal Server
Hi Bill,
It should work the way you are suggesting, however I am guessing that
you are using loop back processing and that this is being set in the
same policy. If you remove Authenticated Users from the policy then the
machine setting to enable loop back policy will also be removed.
Your first suggestion of putting "deny" on the policy for ADMINS should
work.... assuming you are talking about the policy that contains the
actual user settings rather than the loopback enable setting.
Hope this helps.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of McDonald, William
Sent: Saturday, 24 January 2009 5:39 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Lockdown Policy on Terminal Server
A TS policy only works for me if it is applied to the Authenticated
Users group, but this applies the policy to all users, including
administrators, even if I have admins set to deny applying policy. If I
apply the group policy to another group, TS_App_Users, and remove
Authenticated users or even just uncheck Apply Policy under
Authenticated Users, then it won't get applied at all. How is this
supposed to work?
Regards,
Bill McDonald
Systems Administrator II Ebara Technologies, Inc.
51 Main Avenue
Sacramento, CA 95838
Direct: (916) 561-4865
Fax: (916) 920-5066
wmcdonald@xxxxxxxxxxxxx
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR
by logging into the freelists.org Web interface. Archives for the list
are available at http://www.freelists.org/archives/gptalk/
************************
#####################################################################################
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information
contained in the pages is confidential and contains legally privileged
information. If you are not the addressee indicated in this message (or
responsible for delivery of the message to such person), you may not copy or
deliver this message to anyone, and you should destroy this message and kindly
notify the sender by reply email. Confidentiality and legal privilege are not
waived or lost by reason of mistaken delivery to you.
#####################################################################################
Other related posts: