[gptalk] Re: Merge GPO's assigning "Allow log on through TS"?

  • From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 2 Dec 2008 17:56:04 -0000

Hi Jamie,


This seems to be a much better way, thanks for pointing it out.


However, I have created a new GPO, added a restricted group called
Remote Desktop Users by using Browse/Check Name, added a particular user
to the restricted group, applied the GPO to an individual workstation
and linked it to an OU which contains a child OU with the workstation


I have run gpupdate /force twice. Both times it tells me it requires a
reboot, which I do.


After the reboot the user I added to the restricted group does not
appear in the local Remote Desktop Users group.


Is the Remote Desktop Users group I added as a restricted group a domain
group? If so how do I add local machine groups to restricted groups? All
efforts to search for builtin/Remote or Remote have failed to return


Many thanks





From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] 
Sent: 01 December 2008 17:57
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Merge GPO's assigning "Allow log on through TS"?


Instead of changing your security policy, why not just use restricted
groups to add users to the local "Remote Desktop Users" group (which
already has TS logon access)?


Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Monday, December 01, 2008 10:22 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Merge GPO's assigning "Allow log on through TS"?


Hi all,


Our Default Domain Policy adds Domain Admins to the "Allow log on
through terminal services" on all machines in our domain.


I created a new GPO to allow a specific single user account to log on to
a specific virtualised XP box and applied at a sub-OU level containing
the XP box object.


Having been working remotely (using MSTSC) on the virtual XP box all day
today absolutely fine, after I applied the policy it wouldn't let me on
giving me the standard error "the local policy of this system does not
permit you to logon interactively".


I assume this is because the newer GPO is overriding the domain GPO due
to it being more specifically applied?


Going forward, I don't want to have to add all the users who are allowed
to RDP into machines to every policy that specifies this permission just
because in some instances I want to specify a particular user for a
particular machine. Is it possible to merge policy settings? Is this
where loopback processing would be applied?






Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system. 

Other related posts: