You're
very welcome, and thanks for the thanks!
Rick Kingslan - Microsoft
Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gregg Porter
Sent: Thursday, September 19, 2002 6:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Terminal Services OU Group Policy QuestionLife is good. Thank you Messrs. Carey and Kingslan for your very useful advice. My Terminal Server is happy and my remote users are happy. You deserve my check this month. Too bad it's already spent.-----Original Message-----
From: Carey, Greg [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 18, 2002 9:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services OU Group Policy QuestionLittle late coming into this, but you can have multiple group policies with application to specific groups all with Loopback enabled (ie - some not applied to all authenticated users but rather domain admins or the like). They would be arranged with highest priority at the top. You could then reverse some setting by using a higher priority policy that just applies to a specific group. We are doing that to reverse some of the average user lock down setting (lower priority policy) for administrators (higher priority policy).The reason you have to enable loopback processing is because the user account is not in the OU so would not normally have the user portion of the ou's policy applied.-----Original Message-----
From: Gregg Porter [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 16, 2002 11:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Terminal Services OU Group Policy QuestionI started with Q260370. I created a new OU. It contains only the Terminal Services box. I created a new group policy object for that OU. However, none of the policy settings would take effect until I enabled the loopback processing mode setting in computer configuration\admin templates\system\group policy.You -- rightfully -- wonder about my end goal.. I wish to control what the Terminal services user can do/see on from the desktop. I have a specific set of applications I wish to deliver. It is a simple configuration.-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 16, 2002 9:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Terminal Services OU Group Policy QuestionGregg,Not to be too critical, but let me cite the Q articles that you used:Quoted from Q278295:"With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new Organizational Unit instead of modifying the polices on an existing one."Quoted from Q260370"The second option is to apply GPOs to Terminal Services servers exclusively with the use of a GPO Loopback policy. This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to the computer affected by this policy"What I'm getting at with these two quotes is: if you're going to use loopback with Terminal Services, no - you can't apply to some, but not others. The reason for this is that ALL settings are effectively getting applied during startup (or, more appropriately when the computer is starting) so we have no opportunity to define via a user account who is and who isn't affected - it's all one machine and all users are affected, without fail, by the computer settings.Taking a look at the first Method in Q260370 may provide some relief, but I don't know what your end goal is.> Is it possible to apply group policy to users of this box without forcing every user to experience the same policy application?In a word - no.> Thanks in advance for a little pucker relief. Will reluctanltly submit to self punishment if Cthluhu has an AD interest and I have trod upon one of his horrific> bunions...Dude - now you're freakin' me out..... ;-)Rick Kingslan - Microsoft Certified Trainer
MCSE+I on Windows NT 4.0
MCSE on Windows 2000
MVP [Windows NT/2000 Server]
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gregg Porter
Sent: Monday, September 16, 2002 9:15 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Terminal Services OU Group Policy QuestionMixed mode, single domain. Migrated from NT4. One win 2000 Terminal Services server,. AD with an OU containing TS box. DNS functioning properly. Authentication apparently functioning properly. SP3 on all Win 2000 Servers. Clients with 95, 98, xp, nt4, and 2000. Oh yes, one admin with a growing pucker problem.We created a new group policy object for the Terminal Services OU. (Followed the lockdown procedures in Q278295. Also consulted Q260370, Q294751, and a new Moon Systems white paper.). Which worked when the loopback processing mode policy was enabled. However, I am unable to log onto that box for admin. purposes with that policy enabled: Loopback = one flavor for everyone?Is it possible to apply group policy to users of this box without forcing every user to experience the same policy application?Thanks in advance for a little pucker relief. Will reluctanltly submit to self punishment if Cthluhu has an AD interest and I have trod upon one of his horrific bunions..._______________________Gregg PorterDirector, Technology ServicesNational Head Start Association703/739-7556
