a custom Admin template or using a script might be easier, something like the below should work to control what group has the right to make a term serv connection. strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colSettings = objWMIService.ExecQuery _ ("Select * from Win32_ComputerSystem") For Each objComputer in colSettings Wscript.Echo objComputer.Name CN = objComputer.Name Next srv = Left(CN, 2) if srv = "MD" Then set RDPObj = GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSetting.TerminalName='RDP-Tcp'") RDPobj.AddAccount "domainname\TermPerm", 2 End If I also believe the WIn2k3 SP2 system.adm file has term serv configuration settings Take Care --John -------------- Original message ---------------------- From: Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx> > Hi All, > > Helping out a friend who uses Samba, and they have asked me to lock down > their Windows 2003 Terminal Servers, so I'm trying to use good old Poledit. > No matter what I've tried I cannot get the policy to apply to a "group" > object, even though it matches. > > For example, the userenv.log shows this... > > ApplySystemPolicy: Entering > ApplySystemPolicy: PolicyPath is: <\\ts02\lockdown$\TS.pol>. > ApplySystemPolicy: Local PolicyPath is: <C:\Documents and > Settings\testuser1\prf1.tmp>. > MyRegLoadKey: Returning 00000000 > ApplySystemPolicy: Looking for user specific policy. > OpenUserKey: No entry for testuser1, using .Default instead. > ApplySystemPolicy: Processing group(s) policy. > GetUserGroups: User is a member of the following global groups: > GetUserGroups: > GetUserGroups: tsusers > ApplySystemPolicy: User belongs to 2 groups. > FindGroupInList: User is NOT a member of the tsusers group. > FindGroupInList: User is NOT a member of the Administrators group. > ApplySystemPolicy: Looking for machine specific policy. > OpenUserKey: Found specific entry for TS02 ignoring .Default. > > Now the Samba domain tsusers group is a member of the local Remote Desktop > Users group on the Terminal Servers. And the testuser1 is definitely a > member of this group, so it's weird that it's telling me that the " User > is NOT a member of the tsusers group". I wonder if this is a Samba thing? > > It's been years since I've needed to use poledit. Is there some trick I > need to follow to get it to work in this environment? > > I guess that I can try to create a local tsusers group and place the Samba > tsusers group in that. > > Any advice would be greatly appreciated. > > Cheers. > > Kind regards, > > Jeremy Saunders > Senior Technical Specialist > > Infrastructure Technology Services > (ITS) & Cerulean > Global Technology Services (GTS) > IBM Australia > Level 1, 1060 Hay Street > West Perth WA 6005 > > Postal: PO Box 525, West Perth WA > 6872 > > Visit us at > http://www.ibm.com/services/au/its > > P: +61 8 9261 8412 F: +61 8 9261 8486 > P: (Reception) +61 8 9261 8420 E-mail: > M: TBA jeremy.saunders@xxxxxxxxxxx > > > > > > > > > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx > with 'unsubscribe' in the Subject field OR by logging into the freelists.org > Web > interface. Archives for the list are available at > //www.freelists.org/archives/gptalk/ > ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************