Re: W2K Group Policy Overriding Local Machine Rights

From: John R. Bennett (john.bennett_at_nwnsi.com)
Date: 11/03/03 

Date: Mon, 03 Nov 2003 21:53:10 GMT

Thank you for the reply!

In answer to your questions, in the Active Directory Users and
Computers/Domain Controllers I have created an OU called "Terminal Users".
In that OU I have a Group Policy called "Terminal Users" as well. It is set
for "No override" and the "Block Policy Inheritance" option is not checked.
It is this policy that I have modified the settings on so as to limit what a
Terminal Server user can do. All of the Domain Users are listed as members
of this group (I added them all knowing that they would all eventually be
migrated to the Terminal Server). The computers that I rebuilt are also
listed under "Computers" in the Active Directory and show up as a member of
"domain name/users".

When I move the user out of the Group Policy into "Users" in the Active
Directory they can logon to their local machine with Administrator
priviledges but don't get the Group Policy settings when they login to the
Terminal Server. The strange thing is that these machines were Windows 2000
before and didn't do that until I had to reinstall the OS.

Thanks again for your help!

John Bennett
"MSFT" <ssawkar@online.microsoft.com> wrote in message
news:NL7WhlkoDHA.2148@cpmsftngxa06.phx.gbl...
>
> --------------------
> >From: "John R. Bennett" <john.bennett@nwnsi.com>
> >Newsgroups:
>
microsoft.public.win2000,microsoft.public.win2000.active_directory,microsoft
.public.win2000.networking,microsoft.public.win2000.security,microsoft.publi
c.wi
> n2000.termserv.clients
> >Subject: W2K Group Policy Overriding Local Machine Rights
> >Lines: 50
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <zMwpb.94850$HS4.806574@attbi_s01>
> >NNTP-Posting-Host: 12.208.151.134
> >X-Complaints-To: abuse@comcast.net
> >X-Trace: attbi_s01 1067882655 12.208.151.134 (Mon, 03 Nov 2003 18:04:15
GMT)
> >NNTP-Posting-Date: Mon, 03 Nov 2003 18:04:15 GMT
> >Organization: Comcast Online
> >Date: Mon, 03 Nov 2003 18:04:15 GMT
> >Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!news-
>
out1.nntp.be!propagator2-sterling!news-in-sterling.nuthinbutnews.com!cyclone
1.gnilink.net!wn14feed!wn13feed!worldnet.att.net!204.127.198.203!attbi_feed3
!
> attbi.com!attbi_s01.POSTED!not-for-mail
> >Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.networking:43461
microsoft.public.win2000.security:14731
> microsoft.public.win2000.termserv.clients:12780
microsoft.public.win2000.active_directory:54525
> >X-Tomcat-NG: microsoft.public.win2000.security
> >
> >I have a W2K server running AD and Terminal Services.
> >
> >I am running a mixed client environment of Windows 98, W2K and WXP
systems.
> >
> >I have a group policy (Terminal Users) in place that is specifically
> >designed for the Terminal Server users that limits user rights when they
are
> >actively using the Terminal Server.
> >
> >I don't have roaming profiles enabled.
> >
> >Here's the problem, I had to rebuild a failed W2K workstation the other
day
> >and ever since, the group policy that I created for the Terminal Server
> >users is now overriding the default login on the workstation itself.
What I
> >mean is that the limitations that I have imposed when you connect to the
> >Terminal Server are now filtering down to the actual client desktop as
well
> >(meaning that they are no longer administrators on their machines, can't
> >install software, can't access certain parts of the system, etc.). I
have
> >tried adjusting the security settings to allow this but nothing works,
they
> >still get the Terminal Server policy settings. These are the first W2K
OS
> >reinstallations that have taken place since the Terminal Server was
> >installed.
> >
> >This didn't happen before, the user could login to their workstation and
the
> >policy wouldn't affect them unless they connected to the Terminal Server.
> >If I take the user out of the Group Policy (Terminal Users) and just add
> >them to "Users" in the Active Directory then the settings on their
> >workstation are back to how they should be but when they login to the
> >Terminal Server they now have too much access because the Group Policy
> >doesn't apply to normal network users (i.e. they can see menu items that
> >they shouldn't access, access to the local drives, control panel, etc.).
> >
> >I'm not sure how this happened but I have two other W2K users who aren't
> >affected, it seems like this happened because it was a brand new machine
to
> >the system. I have verified this by going to one of the existing Windows
> >2000 machines and logging in as the same user that I had problems with
and
> >the Terminal Server policy is not passed to that machine.
> >
> >Windows 98 machines are not affected.
> >
> >Basically, what I would like to do is have the Terminal Server group
policy
> >in place but not have it affect the user when they logon to their machine
> >locally. Should I create a separate policy for an individual Terminal
> >Server user and specify it under their Terminal Server profile settings?
Is
> >this possible?
> >
> >Thanks in advance for any help!
> >
> >John Bennett
> >
> >
> >
> Hi John!
>
> It sounds as though this freshly installed Windows 2000 machine is in the
same OU as the Terminal Server. Can you describe in more detail in which
OUs
> your computers reside and where you have linked the group policy? Once we
get that information, it should be fairly straightforward to get the
behavior you
> want.
>
> Siddharth Sawkar
> PSS Security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>

Relevant Pages

  • Re: GP and TS Rights - A couple issues
    ... I have 2 Terminal Server issues I'm dealing with. ... But the GP setting "Restrict Terminal Services Users to a single remote session" is under the "Computer Configuration" settings in GP. ... I really think my lack of AD & Group Policy are my problem here. ... Users are in OU1a & 1b. ...
    (microsoft.public.windows.terminal_services)
  • Re: Applying Group Policy to domain user on Terminal Server
    ... as the GPO is still not applying properly. ... place the Terminal Server in a separate OU ... policy>select the group policy and then click properties. ... called 'Domain Controllers' and this contains the Windows ...
    (microsoft.public.windows.terminal_services)
  • Re: Joe
    ... Turns out the Group policys were created on the terminal server. ... support company made the terminal server an active directory server as well. ... I checked the default domain policy adm folder and all the files are ... In the Windows Server 2003 group policy, when a GPO is created the ADM ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Server GPO
    ... Is it possible to set a group policy based on a computer or user for ... domain users that are logging into company's terminal server? ... them to users the same policy is also used for their local computers. ...
    (microsoft.public.win2000.group_policy)
  • Re: Terminal Server GPO
    ... Is it possible to set a group policy based on a computer or user for ... domain users that are logging into company's terminal server? ... them to users the same policy is also used for their local computers. ...
    (microsoft.public.windows.group_policy)