[THIN] Re: Policies on Win2K
- From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Sat, 16 Aug 2003 10:10:29 +1000
Hi Chris,
There are obviously some difference between NT 4 policies and AD-based group
policies (GPO).
The most obvious one, as you stated, is that policies apply to containers
(OUs), not groups. You have to be in an OU to have a policy applied to you.
This actually gives you less granularity than NT 4 in the sense that you
can't use groups to apply policies, only to NOT apply policies.
That is, I can set security filtering on the group policy applying to an OU
so that certain security (global) groups don't have read/apply rights to the
group policy.
That will result in the GPO applying to everyone in the OU except the
exclusions.
However you have loopback processing mode, which when enabled on a GPO
applied to a machine OU (terminal servers), will allow you to apply terminal
server OU specific policies. In essence, when loopback processing is enabled
for a GPO/OU, logging on to a machine in that OU mean you are entering the
OU, and that OU's policies then apply to you.
regards,
Rick
Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704
-----Original Message-----
From: Christopher_Wilson@xxxxxxxxxxxxxx
[mailto:Christopher_Wilson@xxxxxxxxxxxxxx]
Sent: Saturday, 16 August 2003 4:36 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Policies on Win2K
Could use some advice/clarification on Windows 2000 TS policies as I round
the learning curve from NT4.
With NT 4 policies we had a TS specific user and computer policy that
resided on each Terminal server or a file share. Policies could be applied
to specific users and groups while on specific servers.
Is this still the case with Active Directory?
I see local security policies (which the best I can tell are all or nothing
- no assignment by groups)
and/or
AD policies set per user or per computer.
I have an OU for Terminal servers and an OU for Terminal server users.
Then set machine policies on the Terminal Server OU and user policy on the
users OU?
Is that the right approach?
If I do it that way is there anyway to stop Terminal server user policies
from being applied to user's accounts with they are outside of the TS
environment?
Also, in active directory, common.adm (for hidedrives, etc.) is listed as an
unsupported template. Is that normal? (that is, anything to worry about?)
TIA,
Christopher
--------------------------------------------------------------------------------------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege. It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy. You must
not disclose or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus free.
It may be a private
communication, and if so, does not represent the views of Volante group Limited.
Other related posts:
