none
loopback policy and terminal server

    Question

  • I have some user accounts that I need to restrict and prohibit access to many items on the termial server using a GPO (no saving, copying to/from desktop, hide network drives, etc..). I read that I can use loopback policy by creating a GPO and applying it to the terminal server ad account in its own OU. But, I want the GPO only to effect a few users, not all the other ones that will log onto the terminal server. 

    Can someone please explain to me how to setup the loopback policy GPO for only some users that log onto the terminal server and not all the others? Thanks.

    Wednesday, June 13, 2012 7:47 PM

Answers

  • Hi,

    create a goup policy configure lookback processing (so usersettings are applied to users who logs on to a computer and the gpo is applied to the ou from that computer only) and configure permissions. add the user or group you want the gpo not applied to. and set the permission to deny.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    • Marked as answer by badlands2011 Friday, June 15, 2012 1:21 PM
    Wednesday, June 13, 2012 7:52 PM

All replies

  • Hi,

    create a goup policy configure lookback processing (so usersettings are applied to users who logs on to a computer and the gpo is applied to the ou from that computer only) and configure permissions. add the user or group you want the gpo not applied to. and set the permission to deny.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com

    • Marked as answer by badlands2011 Friday, June 15, 2012 1:21 PM
    Wednesday, June 13, 2012 7:52 PM
  • so I have to add all the users that I dont want the policy to apply to and set their permissions to deny? man, thats alot of users I have to add. It would be easier if there was a way to add only users that I do want the GPO to apply too.

    Thanks.

    Wednesday, June 13, 2012 8:23 PM
  • H,

    why not managing these users in groups? And configurig the permissions for that group.


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com


    • Edited by Peddy1st Wednesday, June 13, 2012 8:28 PM
    Wednesday, June 13, 2012 8:27 PM
  • Ok, so I didieverything but now I am stuck on the part where you mention to configure permissions. Is thatthe "security Filtering"?

    In there it says "The settings in this GPO can only apply to the following groups,users, and computers:"

    So this makes it seem that I can easily put only those few users that I want to have the restrictions?

    Wednesday, June 13, 2012 9:51 PM
  • Hello,

    Of course you can only add the users you wan't the policy be applied.
    In this case you will have to remove the "Authentificated Users".
    Do not remove the Domain Admins.


    Depending on which loopback-mode you use, you may also have to add also the Terminalserver.

    If you use loopback in replace-mode: you do not need to add the terminalserver in the security filtering
    (if you do not use Computer Configuration in this policy)
    If you use loopback in merge-mode: add the computer account of the terminalserver with at least "Read" permissions

    If you also configure "Computer Settings" in this policy, you also will have to grant the "Apply Policy" permission for the terminalserver.

    http://support.microsoft.com/kb/953768/en-us


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!



    Thursday, June 14, 2012 5:46 AM
  • Hi Matthais,

    Thanks for your answer, I'm almost there.

    This is where I'm at: I configured the new GPO called TS loopback policy and added it to the new OU with the TS server in it. I edited the GPO to the correct restrictions desired and created a new AD group called "RDS Restricted Users" with the users who I want to have the restrictions applied to. I remove Authenticated Users group from Security Filtering and add the "RDS Restricted Users".

    Is that correct so far?

    What I dont understand is why I would want to add the group Domain Admins as you mentioned. Wouldnt this restrict that group, which is what I do not want?

    Also I used "Replace-Mode". How would I then grant the "Apply Policy" permission to the Terminal Server?

    Thanks You.


    Thursday, June 14, 2012 8:48 PM
  • I used group policy modeling wizard to see if that might help give any indications and it says that the GPO in question is being denied because "Access Denied reason: Security Filtering"

    I cant see why its being denied since the security group in the "Security Filtering" is the AD group with the users I want the restricions to apply to and the computer account of the Terminal Server is listed as well? Those are the only 2 AD objects in there. Did I configure this correctly?

    Friday, June 15, 2012 2:03 AM