[gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 08:52:28 -0800

Please give a few examples of what it is you are actually trying to accomplish 
with Poledit and then maybe you can be steered in the right direction.
 
As another alternative- please review script logic as you can create and lock 
down several settings for end users using complex user logon scripts that can 
be created using a gui.
 
Omar

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Buonora, Craig (GE, Research, 
consultant)
Sent: Mon 2/26/2007 8:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server



Jeremy I use a group within the Terminal Services ADM to lock down our TS to 
certain users. Is this what your friend is trying to accomplish?

Craig

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Monday, February 26, 2007 10:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

Jeremy-
I don't have a good answer for this. If the user is really a member of this 
group then it should appear in their process token when they login. Can you 
confirm their group membership, maybe by using net user /domain from the TS Box?

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jeremy Saunders
Sent: Friday, February 23, 2007 10:44 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Using Poledit on a Windows 2003 Terminal Server

Thanks John, but I think you've misundersyood my question.

We want to apply different policies to different groups, and we don't have the 
Group Policy mechanism of Active Directory to use, as the Samba domain emulates 
an NT4 environment. TSusers is a generic group I used for this example, but 
there will also be a developers group, etc. And the developers cannot be locked 
down to the same degree as the TSusers, etc.

Cheers.
                                                               
 Kind regards,                                                 
                                                               
 Jeremy Saunders                                               
 Senior Technical Specialist                                   
                                                               
 Infrastructure Technology Services                            
 (ITS) & Cerulean                                              
 Global Technology Services (GTS)                              
 IBM Australia                                                 
 Level 1, 1060 Hay Street                                      
 West Perth  WA  6005                                          
                                                               
 Postal: PO Box 525, West Perth WA                             
 6872                                                          
                                                               
 Visit us at                                                   
 http://www.ibm.com/services/au/its                            
                                                               
 P:  +61 8 9261 8412                F:  +61 8 9261 8486        
 P:  (Reception) +61 8 9261 8420    E-mail:                    
 M:  TBA                            jeremy.saunders@xxxxxxxxxxx
                                                               
                                                               








                                                                          
             jfvanmeter@comcas                                            
             t.net                                                        
             Sent by:                                                   To
             gptalk-bounce@fre         gptalk@xxxxxxxxxxxxx,              
             elists.org                gptalk@xxxxxxxxxxxxx               
                                                                        cc
                                       Jeremy Saunders/Australia/IBM@IBMAU
             23/02/2007 11:17                                      Subject
             PM                        [gptalk] Re: Using Poledit on a    
                                       Windows 2003 Terminal Server       
                                                                          
             Please respond to                                            
             gptalk@freelists.                                            
                    org                                                   
                                                                          
                                                                          




a custom Admin template or using a script might be easier, something like the 
below should work to control what group has the right to make a term serv 
connection.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set 
colSettings = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem") For Each objComputer in colSettings
    Wscript.Echo objComputer.Name
CN = objComputer.Name
    Next
 srv = Left(CN, 2)
  if srv = "MD" Then
set RDPObj =
GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSett
ing.TerminalName='RDP-Tcp'")

RDPobj.AddAccount "domainname\TermPerm", 2 End If

 I also believe the WIn2k3 SP2 system.adm file has term serv configuration 
settings

Take Care --John

 -------------- Original message ----------------------
From: Jeremy Saunders <jeremy.saunders@xxxxxxxxxxx>
> Hi All,
>
> Helping out a friend who uses Samba, and they have asked me to lock
> down their Windows 2003 Terminal Servers, so I'm trying to use good
> old
Poledit.
> No matter what I've tried I cannot get the policy to apply to a "group"
> object, even though it matches.
>
> For example, the userenv.log shows this...
>
> ApplySystemPolicy: Entering
> ApplySystemPolicy:  PolicyPath is: <\\ts02\lockdown$\TS.pol>.
> ApplySystemPolicy:  Local PolicyPath is: <C:\Documents and
> Settings\testuser1\prf1.tmp>.
> MyRegLoadKey: Returning 00000000
> ApplySystemPolicy:  Looking for user specific policy.
> OpenUserKey:  No entry for testuser1, using .Default instead.
> ApplySystemPolicy:  Processing group(s) policy.
> GetUserGroups: User is a member of the following global groups:
> GetUserGroups:
> GetUserGroups:     tsusers
> ApplySystemPolicy:  User belongs to 2 groups.
> FindGroupInList:  User is NOT a member of the tsusers group.
> FindGroupInList:  User is NOT a member of the Administrators group.
> ApplySystemPolicy:  Looking for machine specific policy.
> OpenUserKey:  Found specific entry for TS02 ignoring .Default.
>
> Now the Samba domain tsusers group is a member of the local Remote
Desktop
> Users group on the Terminal Servers. And the testuser1 is definitely a
> member of this group, so it's weird that it's telling me that  the "
> User is NOT a member of the tsusers group". I wonder if this is a Samba thing?
>
> It's been years since I've needed to use poledit. Is there some trick
> I need to follow to get it to work in this environment?
>
> I guess that I can try to create a local tsusers group and place the
Samba
> tsusers group in that.
>
> Any advice would be greatly appreciated.
>
> Cheers.
>
>  Kind regards,
>
>  Jeremy Saunders
>  Senior Technical Specialist
>
>  Infrastructure Technology Services
>  (ITS) & Cerulean
>  Global Technology Services (GTS)
>  IBM Australia
>  Level 1, 1060 Hay Street
>  West Perth  WA  6005
>
>  Postal: PO Box 525, West Perth WA
>  6872
>
>  Visit us at
>  http://www.ibm.com/services/au/its
>
>  P:  +61 8 9261 8412                F:  +61 8 9261 8486
>  P:  (Reception) +61 8 9261 8420    E-mail:
>  M:  TBA                            jeremy.saunders@xxxxxxxxxxx
>
>
>
>
>
>
>
>
>
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web
> interface. Archives for the list are available at
> http://www.freelists.org/archives/gptalk/
> ************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************


Other related posts: