[gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 27 Feb 2007 07:48:36 +1100

Hi Jeremy,

 

I don't fully understand what is happening, so bear with me if I have it
wrong. Also it's a long time since I used NT4 domains!

 

I understand you are using Samba which simulates an NT4 domain. As such you
use Poledit which supports only one policy per group (if I remember
correctly).

 

To make it work, I would set up a Policy for the NT4 domain Group called
TSUSERS and make the user a member of that group.

 

You stated:-

"Now the Samba domain tsusers group is a member of the local Remote Desktop
Users group on the Terminal Servers. And the testuser1 is definitely a
member of this group, so it's weird that it's telling me that  the " User is
NOT a member of the tsusers group". I wonder if this is a Samba thing?"

 

I don't understand how local groups on the Terminal server have any bearing
on the problem. Just because a user is a member of a local group and the
domain group is a member of the local group, this doesn't mean the user is a
member of the domain group. (This is assuming that you were referring to the
Local group called Remote Desktop Users when you said "is definitely a
member of this group")

 

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Tuesday, 27 February 2007 3:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

 

Please give a few examples of what it is you are actually trying to
accomplish with Poledit and then maybe you can be steered in the right
direction.

 

As another alternative- please review script logic as you can create and
lock down several settings for end users using complex user logon scripts
that can be created using a gui.

 

Omar

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Buonora, Craig (GE, Research,
consultant)
Sent: Mon 2/26/2007 8:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

Jeremy I use a group within the Terminal Services ADM to lock down our TS to
certain users. Is this what your friend is trying to accomplish?

Craig

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, February 26, 2007 10:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

Jeremy-
I don't have a good answer for this. If the user is really a member of this
group then it should appear in their process token when they login. Can you
confirm their group membership, maybe by using net user /domain from the TS
Box?

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Saunders
Sent: Friday, February 23, 2007 10:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

Thanks John, but I think you've misundersyood my question.

We want to apply different policies to different groups, and we don't have
the Group Policy mechanism of Active Directory to use, as the Samba domain
emulates an NT4 environment. TSusers is a generic group I used for this
example, but there will also be a developers group, etc. And the developers
cannot be locked down to the same degree as the TSusers, etc.

Cheers.
                                                               
 Kind regards,                                                 
                                                               
 Jeremy Saunders                                               
 Senior Technical Specialist                                   
                                                               
 Infrastructure Technology Services                            
 (ITS) & Cerulean                                              
 Global Technology Services (GTS)                              
 IBM Australia                                                 
 Level 1, 1060 Hay Street                                      
 West Perth  WA  6005                                          
                                                               
 Postal: PO Box 525, West Perth WA                             
 6872                                                          
                                                               
 Visit us at                                                   
 http://www.ibm.com/services/au/its                            
                                                               
 P:  +61 8 9261 8412                F:  +61 8 9261 8486        
 P:  (Reception) +61 8 9261 8420    E-mail:                    
 M:  TBA                            jeremy.saunders@xxxxxxxxxxx
                                                               
                                                               








                                                                          
             jfvanmeter@comcas                                            
             t.net                                                        
             Sent by:                                                   To
             gptalk-bounce@fre         gptalk@xxxxxxxxxxxxx,              
             elists.org                gptalk@xxxxxxxxxxxxx               
                                                                        cc
                                       Jeremy Saunders/Australia/IBM@IBMAU
             23/02/2007 11:17                                      Subject
             PM                        [gptalk] Re: Using Poledit on a    
                                       Windows 2003 Terminal Server       
                                                                          
             Please respond to                                            
             gptalk@freelists.                                            
                    org                                                   
                                                                          
                                                                          




a custom Admin template or using a script might be easier, something like
the below should work to control what group has the right to make a term
serv connection.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSettings = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem") For Each objComputer in
colSettings
    Wscript.Echo objComputer.Name
CN = objComputer.Name
    Next
 srv = Left(CN, 2)
  if srv = "MD" Then
set RDPObj =
GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSett
ing.TerminalName='RDP-Tcp'")

RDPobj.AddAccount "domainname\TermPerm", 2 End If

 I also believe the WIn2k3 SP2 system.adm file has term serv configuration
settings

Take Care --John

 -------------- Original message ----------------------
From: Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx>
> Hi All,
>
> Helping out a friend who uses Samba, and they have asked me to lock
> down their Windows 2003 Terminal Servers, so I'm trying to use good
> old
Poledit.
> No matter what I've tried I cannot get the policy to apply to a "group"
> object, even though it matches.
>
> For example, the userenv.log shows this...
>
> ApplySystemPolicy: Entering
> ApplySystemPolicy:  PolicyPath is: <\\ts02\lockdown$\TS.pol>.
> ApplySystemPolicy:  Local PolicyPath is: <C:\Documents and
> Settings\testuser1\prf1.tmp>.
> MyRegLoadKey: Returning 00000000
> ApplySystemPolicy:  Looking for user specific policy.
> OpenUserKey:  No entry for testuser1, using .Default instead.
> ApplySystemPolicy:  Processing group(s) policy.
> GetUserGroups: User is a member of the following global groups:
> GetUserGroups:
> GetUserGroups:     tsusers
> ApplySystemPolicy:  User belongs to 2 groups.
> FindGroupInList:  User is NOT a member of the tsusers group.
> FindGroupInList:  User is NOT a member of the Administrators group.
> ApplySystemPolicy:  Looking for machine specific policy.
> OpenUserKey:  Found specific entry for TS02 ignoring .Default.
>
> Now the Samba domain tsusers group is a member of the local Remote
Desktop
> Users group on the Terminal Servers. And the testuser1 is definitely a
> member of this group, so it's weird that it's telling me that  the "
> User is NOT a member of the tsusers group". I wonder if this is a Samba
thing?
>
> It's been years since I've needed to use poledit. Is there some trick
> I need to follow to get it to work in this environment?
>
> I guess that I can try to create a local tsusers group and place the
Samba
> tsusers group in that.
>
> Any advice would be greatly appreciated.
>
> Cheers.
>
>  Kind regards,
>
>  Jeremy Saunders
>  Senior Technical Specialist
>
>  Infrastructure Technology Services
>  (ITS) & Cerulean
>  Global Technology Services (GTS)
>  IBM Australia
>  Level 1, 1060 Hay Street
>  West Perth  WA  6005
>
>  Postal: PO Box 525, West Perth WA
>  6872
>
>  Visit us at
>  http://www.ibm.com/services/au/its
>
>  P:  +61 8 9261 8412                F:  +61 8 9261 8486
>  P:  (Reception) +61 8 9261 8420    E-mail:
>  M:  TBA                            jeremy.saunders@xxxxxxxxxxx
>
>
>
>
>
>
>
>
>
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web
> interface. Archives for the list are available at
> http://www.freelists.org/archives/gptalk/
> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************


***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: