Re: Using GPO to limit access

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/05/05

Next message: Roger Abell: "Re: Using GPO to limit access"
Previous message: Victor Pereira: "Re: msExchMailboxSecurityDescriptor"
In reply to: Johan Strange: "RE: Using GPO to limit access"
Next in thread: Roger Abell: "Re: Using GPO to limit access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 5 Aug 2005 06:08:12 -0700

Not quite.
You also need to set the new GPO which uses security group filtering
(that sets the TS server and the custom group of users up to apply the
GPO) to use loopback processing.
Without loopback the GPO will only apply to objects in the OU,
which the User objects are not.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Johan Strange" <JohanStrange@discussions.microsoft.com> wrote in message
news:6DAD3DC3-1424-4712-9327-978E3D732592@microsoft.com...
> I would create a security group and make these users members. Then create
an
> OU and put the TS in it (assuming that TS is not running on a DC). Create
and
> link your GPO to this OU and then give the security group apply groups
policy
> rights, and remove apply group policy rights from other users. That will
do
> the trick.....
>
> "Jeff Richardson" wrote:
>
> > I'm familiar with basic concepts of GPO, however, can I use GPO and
apply it
> > to SPECIFIC users only when the log on to a SPECIFIC server (a Terminal
> > Server)
> >
> > I found docuemntation to apply to a specific server but that seems to
effect
> > everyone logging onto that server - I need it to apply only to 5 or 6
users
> > when they log onto one server only.
> >
> > What procedure do I have to follow for a DC and / or a member server -
I'm
> > assuming that if we need to configure a member server it has to be done
via
> > Local Security policies ?
> >
> > Regards
> > Jeff Richardson

Next message: Roger Abell: "Re: Using GPO to limit access"
Previous message: Victor Pereira: "Re: msExchMailboxSecurityDescriptor"
In reply to: Johan Strange: "RE: Using GPO to limit access"
Next in thread: Roger Abell: "Re: Using GPO to limit access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Group Policy
... Server, ... And link your GPO to the TS ... The computer account of the terminal server should be added to the ... and added a different security group I created. ...
(microsoft.public.windows.terminal_services)
gpo security filtering
... I am applying a GPO to an OU with server computer accounts for windows ... I want to exclude two of the server machines so I ... created a security group with the servers I want windows updates applied to ...
(microsoft.public.windows.group_policy)
Re: TS Security settings
... The member server on which you are running Terminal Services does not need ... GPO is linked. ... to be affected by this GPO into that security group. ...
(microsoft.public.windows.terminal_services)
Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
... linked to a OU allows one to set separate 'user'-ish settings based ... only once, not per GPO, that should be "looped back". ... like a server, TS Server or computer a total different security ... security group. ...
(microsoft.public.windows.group_policy)
RE: Using GPO to limit access
... I would create a security group and make these users members. ... "Jeff Richardson" wrote: ... > to SPECIFIC users only when the log on to a SPECIFIC server (a Terminal ...
(microsoft.public.security)