[gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

  • From: jfvanmeter@xxxxxxxxxxx
  • To: gptalk@xxxxxxxxxxxxx, gptalk@xxxxxxxxxxxxx
  • Date: Fri, 23 Feb 2007 14:17:48 +0000

a custom Admin template or using a script might be easier, something like the 
below should work to control what group has the right to make a term serv 
connection. 

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colSettings = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem")
For Each objComputer in colSettings 
    Wscript.Echo objComputer.Name
CN = objComputer.Name
    Next
 srv = Left(CN, 2)
  if srv = "MD" Then
set RDPObj = 
GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSetting.TerminalName='RDP-Tcp'")
RDPobj.AddAccount "domainname\TermPerm", 2
End If

 I also believe the WIn2k3 SP2 system.adm file has term serv configuration 
settings

Take Care --John

 -------------- Original message ----------------------
From: Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx>
> Hi All,
> 
> Helping out a friend who uses Samba, and they have asked me to lock down
> their Windows 2003 Terminal Servers, so I'm trying to use good old Poledit.
> No matter what I've tried I cannot get the policy to apply to a "group"
> object, even though it matches.
> 
> For example, the userenv.log shows this...
> 
> ApplySystemPolicy: Entering
> ApplySystemPolicy:  PolicyPath is: <\\ts02\lockdown$\TS.pol>.
> ApplySystemPolicy:  Local PolicyPath is: <C:\Documents and
> Settings\testuser1\prf1.tmp>.
> MyRegLoadKey: Returning 00000000
> ApplySystemPolicy:  Looking for user specific policy.
> OpenUserKey:  No entry for testuser1, using .Default instead.
> ApplySystemPolicy:  Processing group(s) policy.
> GetUserGroups: User is a member of the following global groups:
> GetUserGroups:
> GetUserGroups:     tsusers
> ApplySystemPolicy:  User belongs to 2 groups.
> FindGroupInList:  User is NOT a member of the tsusers group.
> FindGroupInList:  User is NOT a member of the Administrators group.
> ApplySystemPolicy:  Looking for machine specific policy.
> OpenUserKey:  Found specific entry for TS02 ignoring .Default.
> 
> Now the Samba domain tsusers group is a member of the local Remote Desktop
> Users group on the Terminal Servers. And the testuser1 is definitely a
> member of this group, so it's weird that it's telling me that  the " User
> is NOT a member of the tsusers group". I wonder if this is a Samba thing?
> 
> It's been years since I've needed to use poledit. Is there some trick I
> need to follow to get it to work in this environment?
> 
> I guess that I can try to create a local tsusers group and place the Samba
> tsusers group in that.
> 
> Any advice would be greatly appreciated.
> 
> Cheers.
>                                                                 
>  Kind regards,                                                  
>                                                                 
>  Jeremy Saunders                                                
>  Senior Technical Specialist                                    
>                                                                 
>  Infrastructure Technology Services                             
>  (ITS) & Cerulean                                               
>  Global Technology Services (GTS)                               
>  IBM Australia                                                  
>  Level 1, 1060 Hay Street                                       
>  West Perth  WA  6005                                           
>                                                                 
>  Postal: PO Box 525, West Perth WA                              
>  6872                                                           
>                                                                 
>  Visit us at                                                    
>  http://www.ibm.com/services/au/its                             
>                                                                 
>  P:  +61 8 9261 8412                F:  +61 8 9261 8486         
>  P:  (Reception) +61 8 9261 8420    E-mail:                     
>  M:  TBA                            jeremy.saunders@xxxxxxxxxxx 
>                                                                 
>                                                                 
> 
> 
> 
> 
> 
> 
> 
> ***********************
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx 
> with 'unsubscribe' in the Subject field OR by logging into the freelists.org 
> Web 
> interface. Archives for the list are available at 
> http://www.freelists.org/archives/gptalk/
> ************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: