Group Policy and Terminal Servers, in the Terminal Services forum on BrianMadden.com

I'll admit this is probably a bit of a dumb question regarding group policies but here goes.

We currently have separate OUs for our Terminal Servers and users. Terminal Servers are in one OU and users are in another.
If I were to apply User Configuration group policies on the Terminal Servers OU, would those policies impact users who login to the terminal servers? For example, say I want to allow users to have desktop wallpapers on their personal computers but not have that when they use their terminal server session.

Will that work as we have it now, or do I need to reconsider a complete revamping of our OU structure?

Hi James,

you are right. Normally only the Computer Configuration will be processed in the Terminal Server OU. But in "Computer Configuration\Administrative Templates\System\Group Policy" of your Terminal Server OU policy you will find the 'User Group Policy loopback processing mode', which can help you to edit the user configuration for all users logon to your Terminal Servers.

Regards,
Michael

Hi,

Just to elaborate a bit...

Normally, if you want to apply GP settings to a group of users then you perform the following steps:

- Create a GPO
- Add the settings to the User Configuration portion of the GPO
- Link the GPO to an OU that contains the user accounts
- Apply the GPO to the group(s) of users as needed

For the User Configuration portion of a GPO, the location (context) of the user accounts is what matters. For the Computer Configuration portion of the GPO, the context of the computer account is what matters.

However, for TS/Citrix servers, you often want to apply additional restrictions to the user environment that you don't want to apply to their regular PC. Using the above "normal" Group Policy, you would be restricting the users on ALL computers.

To lock-down your TS/CPS servers, you can enable GP loopback.

Here are the steps to apply GP settings to a group of users for your TS/Citrix farm only:

- Create a GPO
- In the Computer Configuration portion of the GPO, drill down into System -> Group Policy and enable GP loopback with "replace" mode
- Link this GPO to the OU containing the TS/CPS computer accounts
- Create another GPO
- Add the settings to the User Configuration portion of the GPO
- Link the GPO to the OU containing the TS/CPS computer accounts
- Apply the GPO to the group(s) of users as needed

As you can likely guess from the above steps, GP loopback results in GP being applied solely on the context of the computer accounts - the location of the user accounts doesn't matter (in replace mode) and only the settings in the two GPOs above (or any other GPOs linked to the same OU above) will be applied to the filtered groups.

The only exception is the other setting for GP loopback - merge mode. Merge mode merges all your "normal" GPO settings (from elsewhere in AD) too.

Hope this helps.

Personally I did "merge" mode. One caveat about this entire process is that a lot of the settings will be applied even to your network admin account if you log into the server that way. The best way around that for me was to just login locally to the box rather than with a domain account. Not really an issue, more of a small annoyance

Regardless, it's working very well and I am getting the terminal server desktops locked down the way I want them now.

Hi James,
you can prevent your user from GPO execution:
-Open Properties of your TS-GPO
-On the Security Tab, add your admin account
-In the Permissions Field, deny "Apply Group Policy" for this user.

Regards,
Michael

Geesh, I really should have thought of that. Thanks Michael, that's a fantastic solution.

If one wants to set a GPO at the Terminal Server OU, you would enable loopback and ONLY set policies in the User Configuration? or both User and Computer configurations?

Well I must be doing something wrong! I've added my TS2008 to its own OU and set a GPO at the OU. Under Computer Configuration, I only Enabled the Loopback option and set all policies in the User Configuration. I Enforced the GPO to the OU, ran "gpupdate /force" on the Domain Logged in with both XPsp3 and Vista sp1, anf the policies are not applied. Under Security Filtering, there is Authenticated Users and the Terminal Server. Anyone think they know what's wrong?

UPDATE:
**Well no matter what I do, settings in User or Computer Configurations or both, enable/not configure loopback, when I apply a GPO to a Computer OU, it's like it does not exist. However, I can take the same GPO and apply it to an OU with a test user in it and it works the way it should. Really frustrating.

After hours of changing stuff and testing, I was able to find a User level GPO that works with both Terminal Server OSs I have, and seems to work for all win2000/XP/Vista. Oh well, whatever works.

Is there a setting available in a GPO to restrict certain OS's or RDC versions from connecting to a TS? My scenario I would like to have Windows 2000 users who try to connect to my 2008 Terminal Farm to get a pop up message, then click OK and it logs them off, because they are not running the required OS for Terminal Server 2008 usage (TS Easy Print)

Probably not, but you can make this by a login script.

You might be able to simplify all of this for the long run with Thin Desktop from ThinLaunch Software

www.thinlaunch.com