Windows NT Group Policy For Terminal Server

  • Thread starter Thread starter Rossco1981
  • Start date Start date
R

Rossco1981

HI All
This is probably a straight forward problem but I am a bit stuck.
We have an OU for terminal servers which has the GPO appplied to it, to
restrcited various things (such as run box, control panel access, map drive
etc).
This works perfectly well when users log onto the server they can only do
the tasks we want them to do, however as the policy is applied at machine
level when we log on a administrator we also experience the same
restrictions. We cannot apply the policy at user level (as users are in many
places and use different computers/laptops etc). Is there a way to apply
the policy to everyone but Administrators? As we need to use terminal
services manager, need to be able to see event viewer etc. Could we apply
the GPO to a group that admin is not a member of?
Any ideas would be welcomed.
Thanks
 
Absolutely! This should help:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?Um9zc2NvMTk4MQ==?=
<Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:

> HI All
> This is probably a straight forward problem but I am a bit
> stuck. We have an OU for terminal servers which has the GPO
> appplied to it, to restrcited various things (such as run box,
> control panel access, map drive etc).
> This works perfectly well when users log onto the server they
> can only do the tasks we want them to do, however as the policy
> is applied at machine level when we log on a administrator we
> also experience the same restrictions. We cannot apply the
> policy at user level (as users are in many
> places and use different computers/laptops etc). Is there a
> way to apply
> the policy to everyone but Administrators? As we need to use
> terminal services manager, need to be able to see event viewer
> etc. Could we apply the GPO to a group that admin is not a
> member of? Any ideas would be welcomed.
> Thanks
 
Thanks works very well

"Vera Noest [MVP]" wrote:

> Absolutely! This should help:
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> =?Utf-8?B?Um9zc2NvMTk4MQ==?=
> <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:
>
> > HI All
> > This is probably a straight forward problem but I am a bit
> > stuck. We have an OU for terminal servers which has the GPO
> > appplied to it, to restrcited various things (such as run box,
> > control panel access, map drive etc).
> > This works perfectly well when users log onto the server they
> > can only do the tasks we want them to do, however as the policy
> > is applied at machine level when we log on a administrator we
> > also experience the same restrictions. We cannot apply the
> > policy at user level (as users are in many
> > places and use different computers/laptops etc). Is there a
> > way to apply
> > the policy to everyone but Administrators? As we need to use
> > terminal services manager, need to be able to see event viewer
> > etc. Could we apply the GPO to a group that admin is not a
> > member of? Any ideas would be welcomed.
> > Thanks
>
 
This was something I was dealing with too. However I have the Group Policy
Management tool installed so that GPO tab does not work. In the GPM Tool
there is no similar permissions that I could find apart from the Deligation
Tab when the GPO is selected. I was afraid to remove the Domain Admins from
there (there is no "deny" option) because I was afraid I would lock myself
out of the abiltity to edit or remove the Policy afterwards.

I don't want the policy to apply when a Domain Admin connects to the
Terminal Server, but I don't want to lock the Domain Admins out of being
able to alter or remove the policy when trying to administer policies.

So currently I am leaving the policy unlinked and unused at all and the TS
is running pretty much straight without any GPO mods.

Can you shed some light on that.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns999385A36BAC5veranoesthemutforsse@207.46.248.16...
> Absolutely! This should help:
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> =?Utf-8?B?Um9zc2NvMTk4MQ==?=
> <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:
>
>> HI All
>> This is probably a straight forward problem but I am a bit
>> stuck. We have an OU for terminal servers which has the GPO
>> appplied to it, to restrcited various things (such as run box,
>> control panel access, map drive etc).
>> This works perfectly well when users log onto the server they
>> can only do the tasks we want them to do, however as the policy
>> is applied at machine level when we log on a administrator we
>> also experience the same restrictions. We cannot apply the
>> policy at user level (as users are in many
>> places and use different computers/laptops etc). Is there a
>> way to apply
>> the policy to everyone but Administrators? As we need to use
>> terminal services manager, need to be able to see event viewer
>> etc. Could we apply the GPO to a group that admin is not a
>> member of? Any ideas would be welcomed.
>> Thanks
 
In the Group Policy Management tool, once you go into the Group Policies for
an OU you will notice on the left a listing of your OU's. if you look under
the OU this applies to you will see a listing of the GPO's. you can
right-click on it there and go into the Properties of the actual GPO, then
select the "Applies to..." part. unless i have misunderstood what you are
looking for.

"Phillip Windell" wrote:

> This was something I was dealing with too. However I have the Group Policy
> Management tool installed so that GPO tab does not work. In the GPM Tool
> there is no similar permissions that I could find apart from the Deligation
> Tab when the GPO is selected. I was afraid to remove the Domain Admins from
> there (there is no "deny" option) because I was afraid I would lock myself
> out of the abiltity to edit or remove the Policy afterwards.
>
> I don't want the policy to apply when a Domain Admin connects to the
> Terminal Server, but I don't want to lock the Domain Admins out of being
> able to alter or remove the policy when trying to administer policies.
>
> So currently I am leaving the policy unlinked and unused at all and the TS
> is running pretty much straight without any GPO mods.
>
> Can you shed some light on that.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
> news:Xns999385A36BAC5veranoesthemutforsse@207.46.248.16...
> > Absolutely! This should help:
> >
> > 816100 - How To Prevent Domain Group Policies from Applying to
> > Administrator Accounts and Selected Users in Windows Server 2003
> > http://support.microsoft.com/?kbid=816100
> >
> > _________________________________________________________
> > Vera Noest
> > MCSE, CCEA, Microsoft MVP - Terminal Server
> > TS troubleshooting: http://ts.veranoest.net
> > *----------- Please reply in newsgroup -------------*
> >
> > =?Utf-8?B?Um9zc2NvMTk4MQ==?=
> > <Rossco1981@discussions.microsoft.com> wrote on 21 aug 2007:
> >
> >> HI All
> >> This is probably a straight forward problem but I am a bit
> >> stuck. We have an OU for terminal servers which has the GPO
> >> appplied to it, to restrcited various things (such as run box,
> >> control panel access, map drive etc).
> >> This works perfectly well when users log onto the server they
> >> can only do the tasks we want them to do, however as the policy
> >> is applied at machine level when we log on a administrator we
> >> also experience the same restrictions. We cannot apply the
> >> policy at user level (as users are in many
> >> places and use different computers/laptops etc). Is there a
> >> way to apply
> >> the policy to everyone but Administrators? As we need to use
> >> terminal services manager, need to be able to see event viewer
> >> etc. Could we apply the GPO to a group that admin is not a
> >> member of? Any ideas would be welcomed.
> >> Thanks
>
>
>
 
"Jeff" <Jeff@discussions.microsoft.com> wrote in message
news:5D066B5C-AA5A-4286-A61B-53B83B4F1F3D@microsoft.com...
> In the Group Policy Management tool, once you go into the Group Policies
> for
> an OU you will notice on the left a listing of your OU's. if you look
> under
> the OU this applies to you will see a listing of the GPO's. you can
> right-click on it there and go into the Properties of the actual GPO, then
> select the "Applies to..." part. unless i have misunderstood what you are
> looking for.

In the Group Policy Management tool the GPOs are listed in a section by
themselves at the bottom. Inside the OUs is just a "shortcut" that serves
as a "marker" for where the policy is linked.

There is no "Applies to.." in either one of those places. There isn't even
a Properties.
It does activate the right side Window which has a "Security Filtering"
under the "Scope Tab", and there is a Delegation Tab. I'm not entirely sure
of the specific impact of whatever I do in those, so I am reluctant to mess
with it till I know for sure. It doesn't look like there is a way to do a
explicit Deny,..only an implied Deny by not including them in the list.

The problem is that if I use a User Group *and* the TS Machine it doesn't
treat them as a combination but applies to each separately,..so it applies
to the user no matter what machine they are on and at the same time applies
to any user on the TS Machine. What I need is it to only apply on the TS box
and not apply the Domain Admins when on the TS box.

The TS box is in a OU with other machines,..I need to keep it there,..I
don't want to move it into its own OU unless there is just absolutely no
other way.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
I may be able to overcome this by how I create and arrange my user groups
for the TS users. I'll take a closer look at that later today.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Answers inline.

I hope this helps.

Helge

On 22 Aug., 01:28, "Phillip Windell" wrote:
> "Jeff" <J...@discussions.microsoft.com> wrote in message
>
> news:5D066B5C-AA5A-4286-A61B-53B83B4F1F3D@microsoft.com...
>
> > In the Group Policy Management tool, once you go into the Group Policies
> > for
> > an OU you will notice on the left a listing of your OU's. if you look
> > under
> > the OU this applies to you will see a listing of the GPO's. you can
> > right-click on it there and go into the Properties of the actual GPO, then
> > select the "Applies to..." part. unless i have misunderstood what you are
> > looking for.
>
> In the Group Policy Management tool the GPOs are listed in a section by
> themselves at the bottom. Inside the OUs is just a "shortcut" that serves
> as a "marker" for where the policy is linked.

Although that is correct, it is irrelevant to the tasks at hand.

>
> There is no "Applies to.." in either one of those places. There isn't even
> a Properties.
> It does activate the right side Window which has a "Security Filtering"
> under the "Scope Tab", and there is a Delegation Tab. I'm not entirely sure
> of the specific impact of whatever I do in those, so I am reluctant to mess
> with it till I know for sure. It doesn't look like there is a way to do a
> explicit Deny,..only an implied Deny by not including them in the list.

Use the tab "Scope" and there the section "Security Filtering". If you
add user/group/computer objects there, the GPO will be applied to
exactly the objects you selected.

Some hints:

1) The entries listed unter "Security Filtering" actually show a
subset of the permissions that are set on the GPO, namely those
objects the GPO applies to (those which have the permissions to "Read"
and "Apply" the GPO).

2) You cannot use the section "Security Filtering" to set an ACE to
access denied. For that you need the tab "Delegation".

3) There is no "implied deny". Setting an access denied ACE works by
going to the "Security Filtering" tab, selecting an entry an then
clicking on "Properites" near the bottom.

4) If you want a GPO to apply only to a single computer then add the
computer account to the list in "Security Filtering" and make sure
nothing else is on the list.

>
> The problem is that if I use a User Group *and* the TS Machine it doesn't
> treat them as a combination but applies to each separately,..so it applies
> to the user no matter what machine they are on and at the same time applies
> to any user on the TS Machine. What I need is it to only apply on the TS box
> and not apply the Domain Admins when on the TS box.

You might want to have a look at loopback processing mode which is
used for most terminal servers.

>
> The TS box is in a OU with other machines,..I need to keep it there,..I
> don't want to move it into its own OU unless there is just absolutely no
> other way.

See above: security filtering by machine object.
 
Last edited by a moderator:
Thank, you for the reply, Helge,

"Helge Klein" <Helge.Klein@googlemail.com> wrote in message
news:1187810084.544734.241730@i38g2000prf.googlegroups.com...
> Use the tab "Scope" and there the section "Security Filtering". If you
> add user/group/computer objects there, the GPO will be applied to
> exactly the objects you selected.

That is what I do. GPOs are linked in at the top of the Domain, I then
control to what GPOs applies via entries in the Scope Tab-->Security
Filtering,... rather than create a messy complex OU tree.

> 1) The entries listed unter "Security Filtering" actually show a
> subset of the permissions that are set on the GPO, namely those
> objects the GPO applies to (those which have the permissions to "Read"
> and "Apply" the GPO).

The only options when right-clicking on an object in the Security Filtering
is "Remove" and "Properties". That is where the problem is. The properties
is the Properties of the item itself, it is not Properties of the access
relationship to the GPO. In other words if the object is a Group I can add
users to the group or add the group to another group.

> 2) You cannot use the section "Security Filtering" to set an ACE to
> access denied. For that you need the tab "Delegation".

But what does Deligation actually effect? Does removing someone from
Deligation mean the GPO simply does not apply to them,...or does it mean
that the removed Person can not go into ADUC or the GPM and "manage" the
GPO?

> 3) There is no "implied deny". Setting an access denied ACE works by
> going to the "Security Filtering" tab, selecting an entry an then
> clicking on "Properites" near the bottom.

See my response to #1

> 4) If you want a GPO to apply only to a single computer then add the
> computer account to the list in "Security Filtering" and make sure
> nothing else is on the list.

I do put the TS machine in there,...the problem is that it will apply to all
users who log on to the machine,..I don't want that,..I do not want it to
apply to Domain Admins.

> You might want to have a look at loopback processing mode which is
> used for most terminal servers.

Do you have an example of that?
I have never used loopback processing.
I don't even know where to start, or what you can do or not do with it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
I hope I can clarify things a litte with this post.

1) Information on Loopback Processing

Loopback processing of Group Policy
http://support.microsoft.com/?scid=kb;en-us;231287&x=19&y=23

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

2) GPMC: "Security Filtering" versus "Delegation"

Like most objects GPOs have an ACL associated with them. This ACL is
relatively complex and controls several things at once:

- Who can "see" the GPO
- Who can edit the settings in the GPO
- Who the GPO applies to
- ...

In the tab "Delegation" you see the full contents of the ACL,
containing both the entries (ACEs) for the objects the GPO applies to
(again: read and apply are needed for this - if those two are set the
ACE appears on "Security Filtering") and other ACEs related to
managing the GPO.

That means:

If you go to "Delegation", add an ACE and give the rights read and
apply GPO then this is exactly the same as adding an object via
"Security Filtering" - check it out yourself!

In other words: "Security Filtering" is a shortcut (designed to reduce
complexity) for adding an ACE to the GPO with the two rights read and
apply GPO. That is why its GUI is so limited. If you want the full
picture, go to "Delegation".

I recommend you play around with the security settings to get a
feeling for how they work in the GPMC.

I hope this helps.

Helge

On 22 Aug., 22:28, "Phillip Windell" wrote:
> Thank, you for the reply, Helge,
>
> "Helge Klein" <Helge.Kl...@googlemail.com> wrote in message
>
> news:1187810084.544734.241730@i38g2000prf.googlegroups.com...
>
> > Use the tab "Scope" and there the section "Security Filtering". If you
> > add user/group/computer objects there, the GPO will be applied to
> > exactly the objects you selected.
>
> That is what I do. GPOs are linked in at the top of the Domain, I then
> control to what GPOs applies via entries in the Scope Tab-->Security
> Filtering,... rather than create a messy complex OU tree.
>
> > 1) The entries listed unter "Security Filtering" actually show a
> > subset of the permissions that are set on the GPO, namely those
> > objects the GPO applies to (those which have the permissions to "Read"
> > and "Apply" the GPO).
>
> The only options when right-clicking on an object in the Security Filtering
> is "Remove" and "Properties". That is where the problem is. The properties
> is the Properties of the item itself, it is not Properties of the access
> relationship to the GPO. In other words if the object is a Group I can add
> users to the group or add the group to another group.
>
> > 2) You cannot use the section "Security Filtering" to set an ACE to
> > access denied. For that you need the tab "Delegation".
>
> But what does Deligation actually effect? Does removing someone from
> Deligation mean the GPO simply does not apply to them,...or does it mean
> that the removed Person can not go into ADUC or the GPM and "manage" the
> GPO?
>
> > 3) There is no "implied deny". Setting an access denied ACE works by
> > going to the "Security Filtering" tab, selecting an entry an then
> > clicking on "Properites" near the bottom.
>
> See my response to #1
>
> > 4) If you want a GPO to apply only to a single computer then add the
> > computer account to the list in "Security Filtering" and make sure
> > nothing else is on the list.
>
> I do put the TS machine in there,...the problem is that it will apply to all
> users who log on to the machine,..I don't want that,..I do not want it to
> apply to Domain Admins.
>
> > You might want to have a look at loopback processing mode which is
> > used for most terminal servers.
>
> Do you have an example of that?
> I have never used loopback processing.
> I don't even know where to start, or what you can do or not do with it.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
 
Last edited by a moderator:
Ok, I'll look into it some more tomorrow afternoon,..today was too busy to
do anything.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
These are probably a bit easier to read and step by step:

http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"Helge Klein" wrote:

> I hope I can clarify things a litte with this post.
>
> 1) Information on Loopback Processing
>
> Loopback processing of Group Policy
> http://support.microsoft.com/?scid=kb;en-us;231287&x=19&y=23
>
> Locking Down Windows Server 2003 Terminal Server Sessions
> http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
>
> 2) GPMC: "Security Filtering" versus "Delegation"
>
> Like most objects GPOs have an ACL associated with them. This ACL is
> relatively complex and controls several things at once:
>
> - Who can "see" the GPO
> - Who can edit the settings in the GPO
> - Who the GPO applies to
> - ...
>
> In the tab "Delegation" you see the full contents of the ACL,
> containing both the entries (ACEs) for the objects the GPO applies to
> (again: read and apply are needed for this - if those two are set the
> ACE appears on "Security Filtering") and other ACEs related to
> managing the GPO.
>
> That means:
>
> If you go to "Delegation", add an ACE and give the rights read and
> apply GPO then this is exactly the same as adding an object via
> "Security Filtering" - check it out yourself!
>
> In other words: "Security Filtering" is a shortcut (designed to reduce
> complexity) for adding an ACE to the GPO with the two rights read and
> apply GPO. That is why its GUI is so limited. If you want the full
> picture, go to "Delegation".
>
> I recommend you play around with the security settings to get a
> feeling for how they work in the GPMC.
>
> I hope this helps.
>
> Helge
>
> On 22 Aug., 22:28, "Phillip Windell" wrote:
> > Thank, you for the reply, Helge,
> >
> > "Helge Klein" <Helge.Kl...@googlemail.com> wrote in message
> >
> > news:1187810084.544734.241730@i38g2000prf.googlegroups.com...
> >
> > > Use the tab "Scope" and there the section "Security Filtering". If you
> > > add user/group/computer objects there, the GPO will be applied to
> > > exactly the objects you selected.
> >
> > That is what I do. GPOs are linked in at the top of the Domain, I then
> > control to what GPOs applies via entries in the Scope Tab-->Security
> > Filtering,... rather than create a messy complex OU tree.
> >
> > > 1) The entries listed unter "Security Filtering" actually show a
> > > subset of the permissions that are set on the GPO, namely those
> > > objects the GPO applies to (those which have the permissions to "Read"
> > > and "Apply" the GPO).
> >
> > The only options when right-clicking on an object in the Security Filtering
> > is "Remove" and "Properties". That is where the problem is. The properties
> > is the Properties of the item itself, it is not Properties of the access
> > relationship to the GPO. In other words if the object is a Group I can add
> > users to the group or add the group to another group.
> >
> > > 2) You cannot use the section "Security Filtering" to set an ACE to
> > > access denied. For that you need the tab "Delegation".
> >
> > But what does Deligation actually effect? Does removing someone from
> > Deligation mean the GPO simply does not apply to them,...or does it mean
> > that the removed Person can not go into ADUC or the GPM and "manage" the
> > GPO?
> >
> > > 3) There is no "implied deny". Setting an access denied ACE works by
> > > going to the "Security Filtering" tab, selecting an entry an then
> > > clicking on "Properites" near the bottom.
> >
> > See my response to #1
> >
> > > 4) If you want a GPO to apply only to a single computer then add the
> > > computer account to the list in "Security Filtering" and make sure
> > > nothing else is on the list.
> >
> > I do put the TS machine in there,...the problem is that it will apply to all
> > users who log on to the machine,..I don't want that,..I do not want it to
> > apply to Domain Admins.
> >
> > > You might want to have a look at loopback processing mode which is
> > > used for most terminal servers.
> >
> > Do you have an example of that?
> > I have never used loopback processing.
> > I don't even know where to start, or what you can do or not do with it.
> >
> > --
> > Phillip Windellwww.wandtv.com
> >
> > The views expressed, are my own and not those of my employer, or Microsoft,
> > or anyone else associated with me, including my cats.
> > -----------------------------------------------------
>
>
>
 
Last edited by a moderator:
"Patrick Rouse" wrote in message
news:626F3C80-60F6-465B-B49D-08484BFC925D@microsoft.com...
> These are probably a bit easier to read and step by step:
>
> http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html
>
> http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

Thanks Patrick,

I think I have it working according to how Helge described (thanks Helge),
it just took me a while to get it straight in my head how it worked. But
I'll check those out, I'm sure I'll be doing more with this later.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Last edited by a moderator:
Thanks for your feedback. It is good to hear that things work for you
now.

Helge

On 24 Aug., 00:00, "Phillip Windell" wrote:
> "Patrick Rouse" wrote in message
>
> news:626F3C80-60F6-465B-B49D-08484BFC925D@microsoft.com...
>
> > These are probably a bit easier to read and step by step:
>
> >http://www.msterminalservices.org/articles/Configure-Folder-Redirecti...
>
> >http://www.msterminalservices.org/articles/Managing-Terminal-Services...
>
> Thanks Patrick,
>
> I think I have it working according to how Helge described (thanks Helge),
> it just took me a while to get it straight in my head how it worked. But
> I'll check those out, I'm sure I'll be doing more with this later.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
 
Last edited by a moderator:
"Helge Klein" <Helge.Klein@googlemail.com> wrote in message
news:1187948595.180807.222630@q5g2000prf.googlegroups.com...
> Thanks for your feedback. It is good to hear that things work for you
> now.

Unfortuneately it still does't work. I had to give up on the whole thing
and start over. I now created a User Group of TS users that does not
include Domain Admins. I then gave the group permission to the GPO.

Now it does not even get applied. Running GPRESULT on the TS box shows that
the GPO does not get applied. Right now I can't remember if it was due to
"Filterd out" or Denied".

I'm really tired of messing with it right now and am going to shelve it for
later. The users already know to never shut it down and they have been
pretty good about it.

But thank you very much for trying to help out with it.

--
Phillip Windell
www.wandtv.com
 
Back
Top