Windows 2003 server standard edition Group Policy Object Editor bu

  • Thread starter Thread starter Valdas Adomaitis
  • Start date Start date
V

Valdas Adomaitis

As it is known Windows 2003 Server comes with preinstalled Terminal Services
so you can use Remote Desktop for Administration. As I was reading manuals
and playing with configuration I came up to an interesting conclusion:
If you use group policy object editor to change a security policy from
default – set a tick on “Define these policy settings†and define something,
then you apply to save your settings, afterwards you UNSET “Define these
policy settings†tick and apply again the settings you made first STAYS, but
under the group policy object editor’s policy settings column it says “Not
Definedâ€.
IMHO if I unset “Define these policy settings†the object’s state should
return to default OR it should indicate that it is set to some – NOT default
value.

Here is what I did. By default on windows 2003 server running as DC security
policy setting for “Allow log on through Terminal Services†is :
Administrators.
I’ve put there Remote Desktop Users group,applied, ran gpupdate, tried to
connect through RDC using user’s account added to Remote Desktop Users group.
Unsucceeded and it’s o.k. But when I unset this tick on “Define these policy
setting sâ€,run gpupdate, I no longer can connect through RDC using
administrators credentials and policy object editor’s policy settings column
says “Not Definedâ€.
This keeps happening until I set “administrators†under “Allow log on
through terminal services†again, apply, run gpupdate. And then again I can
unset the tick under “Define these policy settings.â€
Is it normal GPOE behavior? If so, how can I know what setting sare actually
applied before me if policy settings’ column says “Not defined�

Regards,
Valdas Adomaitis

P.S. sorry if an offtopic
 
I don't think that I agree with your conclusions, but I might
misunderstand what you have done.

As I see it, this is what happened:

* the default configuration for the policy setting "Logon through
TS" is: the setting is *defined*, with "Administrators" as the
default value.
* you modify the value, don't like the results, and you *disable*
the setting (by removing the checkmark in the "Define this policy
setting" check box)
* the setting is now *undefined*, which is different from the
default configuration, in which the setting was defined, giving
Administrators the Logon right.

So the proper way to undo your changes would have been to remove
the Remote Desktop users group from the setting, not change the
status of the setting.

Before making any changes to a GPO, you should export the existing
values and / or keep a record of the changes that you make, so that
you are able to properly undo your changes.

Note that if you implement changes with a security template and the
secedit command, you can actually save the existing settings with
the /generaterollback option
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?VmFsZGFzIEFkb21haXRpcw==?= <biesas_2000@yahoo.com> wrote
on 19 aug 2007 in microsoft.public.windows.terminal_services:

> As it is known Windows 2003 Server comes with preinstalled
> Terminal Services so you can use Remote Desktop for
> Administration. As I was reading manuals and playing with
> configuration I came up to an interesting conclusion: If you use
> group policy object editor to change a security policy from
> default – set a tick on “Define these policy settings†and
> define something, then you apply to save your settings,
> afterwards you UNSET “Define these policy settings†tick and
> apply again the settings you made first STAYS, but under the
> group policy object editor’s policy settings column it says
> “Not Definedâ€.
> IMHO if I unset “Define these policy settings†the
> object’s state should return to default OR it should indicate
> that it is set to some – NOT default value.
>
> Here is what I did. By default on windows 2003 server running as
> DC security policy setting for “Allow log on through Terminal
> Services†is : Administrators.
> I’ve put there Remote Desktop Users group,applied, ran
> gpupdate, tried to connect through RDC using user’s account
> added to Remote Desktop Users group. Unsucceeded and it’s o.k.
> But when I unset this tick on “Define these policy setting
> sâ€,run gpupdate, I no longer can connect through RDC using
> administrators credentials and policy object editor’s policy
> settings column says “Not Definedâ€.
> This keeps happening until I set “administrators†under
> “Allow log on through terminal services†again, apply, run
> gpupdate. And then again I can unset the tick under “Define
> these policy settings.†Is it normal GPOE behavior? If so, how
> can I know what setting sare actually applied before me if
> policy settings’ column says “Not defined�
>
> Regards,
> Valdas Adomaitis
>
> P.S. sorry if an offtopic
 
Back
Top