[gptalk] Re: Merge GPO's assigning "Allow log on through TS"?

  • From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 1 Dec 2008 11:57:26 -0600

Instead of changing your security policy, why not just use restricted
groups to add users to the local "Remote Desktop Users" group (which
already has TS logon access)?


Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Monday, December 01, 2008 10:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Merge GPO's assigning "Allow log on through TS"?


Hi all,


Our Default Domain Policy adds Domain Admins to the "Allow log on
through terminal services" on all machines in our domain.


I created a new GPO to allow a specific single user account to log on to
a specific virtualised XP box and applied at a sub-OU level containing
the XP box object.


Having been working remotely (using MSTSC) on the virtual XP box all day
today absolutely fine, after I applied the policy it wouldn't let me on
giving me the standard error "the local policy of this system does not
permit you to logon interactively".


I assume this is because the newer GPO is overriding the domain GPO due
to it being more specifically applied?


Going forward, I don't want to have to add all the users who are allowed
to RDP into machines to every policy that specifies this permission just
because in some instances I want to specify a particular user for a
particular machine. Is it possible to merge policy settings? Is this
where loopback processing would be applied?





Confidentiality Warning: This message and any attachments are intended only for 
the use of the intended recipient(s), are confidential, and may be privileged. 
If you are not the intended recipient, you are hereby notified that any review, 
retransmission, conversion to hard copy, copying, circulation or other use of 
all or any portion of this message and any attachments is strictly prohibited. 
If you are not the intended recipient, please notify the sender immediately by 
return e-mail, and delete this message and any attachments from your system. 

Other related posts: