RE: W2K Group Policy Overriding Local Machine Rights
From: MSFT (ssawkar_at_online.microsoft.com)
Date: 11/03/03
- Next message: royace: "Netsend"
- Previous message: Gray: "Object access"
- In reply to: John R. Bennett: "W2K Group Policy Overriding Local Machine Rights"
- Next in thread: John R. Bennett: "Re: W2K Group Policy Overriding Local Machine Rights"
- Reply: John R. Bennett: "Re: W2K Group Policy Overriding Local Machine Rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 Nov 2003 20:30:47 GMT
--------------------
>From: "John R. Bennett" <john.bennett@nwnsi.com>
>Newsgroups:
microsoft.public.win2000,microsoft.public.win2000.active_directory,microsoft.public.win2000.networking,microsoft.public.win2000.security,microsoft.public.wi
n2000.termserv.clients
>Subject: W2K Group Policy Overriding Local Machine Rights
>Lines: 50
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <zMwpb.94850$HS4.806574@attbi_s01>
>NNTP-Posting-Host: 12.208.151.134
>X-Complaints-To: abuse@comcast.net
>X-Trace: attbi_s01 1067882655 12.208.151.134 (Mon, 03 Nov 2003 18:04:15 GMT)
>NNTP-Posting-Date: Mon, 03 Nov 2003 18:04:15 GMT
>Organization: Comcast Online
>Date: Mon, 03 Nov 2003 18:04:15 GMT
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!news-
out1.nntp.be!propagator2-sterling!news-in-sterling.nuthinbutnews.com!cyclone1.gnilink.net!wn14feed!wn13feed!worldnet.att.net!204.127.198.203!attbi_feed3!
attbi.com!attbi_s01.POSTED!not-for-mail
>Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.networking:43461 microsoft.public.win2000.security:14731
microsoft.public.win2000.termserv.clients:12780 microsoft.public.win2000.active_directory:54525
>X-Tomcat-NG: microsoft.public.win2000.security
>
>I have a W2K server running AD and Terminal Services.
>
>I am running a mixed client environment of Windows 98, W2K and WXP systems.
>
>I have a group policy (Terminal Users) in place that is specifically
>designed for the Terminal Server users that limits user rights when they are
>actively using the Terminal Server.
>
>I don't have roaming profiles enabled.
>
>Here's the problem, I had to rebuild a failed W2K workstation the other day
>and ever since, the group policy that I created for the Terminal Server
>users is now overriding the default login on the workstation itself. What I
>mean is that the limitations that I have imposed when you connect to the
>Terminal Server are now filtering down to the actual client desktop as well
>(meaning that they are no longer administrators on their machines, can't
>install software, can't access certain parts of the system, etc.). I have
>tried adjusting the security settings to allow this but nothing works, they
>still get the Terminal Server policy settings. These are the first W2K OS
>reinstallations that have taken place since the Terminal Server was
>installed.
>
>This didn't happen before, the user could login to their workstation and the
>policy wouldn't affect them unless they connected to the Terminal Server.
>If I take the user out of the Group Policy (Terminal Users) and just add
>them to "Users" in the Active Directory then the settings on their
>workstation are back to how they should be but when they login to the
>Terminal Server they now have too much access because the Group Policy
>doesn't apply to normal network users (i.e. they can see menu items that
>they shouldn't access, access to the local drives, control panel, etc.).
>
>I'm not sure how this happened but I have two other W2K users who aren't
>affected, it seems like this happened because it was a brand new machine to
>the system. I have verified this by going to one of the existing Windows
>2000 machines and logging in as the same user that I had problems with and
>the Terminal Server policy is not passed to that machine.
>
>Windows 98 machines are not affected.
>
>Basically, what I would like to do is have the Terminal Server group policy
>in place but not have it affect the user when they logon to their machine
>locally. Should I create a separate policy for an individual Terminal
>Server user and specify it under their Terminal Server profile settings? Is
>this possible?
>
>Thanks in advance for any help!
>
>John Bennett
>
>
>
Hi John!
It sounds as though this freshly installed Windows 2000 machine is in the same OU as the Terminal Server. Can you describe in more detail in which OUs
your computers reside and where you have linked the group policy? Once we get that information, it should be fairly straightforward to get the behavior you
want.
Siddharth Sawkar
PSS Security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: royace: "Netsend"
- Previous message: Gray: "Object access"
- In reply to: John R. Bennett: "W2K Group Policy Overriding Local Machine Rights"
- Next in thread: John R. Bennett: "Re: W2K Group Policy Overriding Local Machine Rights"
- Reply: John R. Bennett: "Re: W2K Group Policy Overriding Local Machine Rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
