...maybe a little late in the day... I'm assuming that the users are in the Active Directory in which case this isn't an issue it's by design. Otherwise you'd be having users circumventing desktop restrictions by finding a machine in another trusted domain.
Perhaps what you should actually be considering rather than messing about with exclusions is loopback mode. This would involve setting up your user policy for use on the terminal server locally, then switching the group policy application mode on that server only. This means the user gets the settings defined on the TS rather than from the user's source AD. It's almost the same kind of principals for say an internet cafe workstation where irrespective of user you want a certain set of configuration to apply. There's two types of loopback mode, merge and replace, it's worth going and having a read about it and seeing if it might solve your problem. Ok so it involves a little more administrative effort on the side of setting up policies on the TS itself for users, but it seems neater to me than messing with group filtering. (Perhaps someone could explain to me how group filtering could achieve this without causing issues when logging onto the source domain, I'm probably thinking too simple at this time in the morning pre-caffeine, but am intrigued to know if this is a better option.). Thanks, Paul. Subject: RE: [ActiveDir] Active Directory users and Terminal Server in NT4.0 domain Date: Wed, 3 Mar 2004 21:29:39 -0800 From: "Darren Mar-Elia" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] If I follow your scenario, then it is entirely possible to get user group policy from a Win2k device within an NT 4 domain. I can't think of any good way to prevent them from getting that policy, other than using user or user group-based security filtering on that GPO to prevent these users from processing the policy. That assumes, of course, that you know reliably which users are logging into that TS and can neatly exclude them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Wednesday, March 03, 2004 4:19 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory users and Terminal Server in NT4.0 domain All, We appear to be having an issue with users in an Active Directory domain who need to get to applications on Windows 2000 Terminal Server in an NT4.0 domain that trusts the Active Directory domain. It appears that the group policy for the users is trying to get applied and it's affecting the Terminal Server. I didn't think this could even happen. Does this make sense? What can we do to prevent it? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
