[gptalk] Merge GPO's assigning "Allow log on through TS"?

  • From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 1 Dec 2008 16:22:02 -0000

Hi all,


Our Default Domain Policy adds Domain Admins to the "Allow log on
through terminal services" on all machines in our domain.


I created a new GPO to allow a specific single user account to log on to
a specific virtualised XP box and applied at a sub-OU level containing
the XP box object.


Having been working remotely (using MSTSC) on the virtual XP box all day
today absolutely fine, after I applied the policy it wouldn't let me on
giving me the standard error "the local policy of this system does not
permit you to logon interactively".


I assume this is because the newer GPO is overriding the domain GPO due
to it being more specifically applied?


Going forward, I don't want to have to add all the users who are allowed
to RDP into machines to every policy that specifies this permission just
because in some instances I want to specify a particular user for a
particular machine. Is it possible to merge policy settings? Is this
where loopback processing would be applied?





Other related posts: