I had a similar problem when applying a software restriction policy to our RDS servers while loopback is enabled, trying to keep it from applying to administrators.
The trick I'm using is to use a group for your TS/RDS users and then filter the policy to only apply to that group plus the computer accounts of the RDS/TS servers. You probably also have to reboot the server(s) in question after making the change, since you're dealing with a computer-based policy. Not sure if this will work in your scenario (SRPs are user-based policies), but might be worth a try. From: James Rankin [mailto:[email protected]] Sent: Friday, February 11, 2011 1:08 AM To: NT System Admin Issues Subject: Re: Quick Terminal Services Profile question This GPO is certainly annoying! When configured, it kicks in for every user on the terminal server (including admins). Obviously I want regular users to get the mandatory profile and admins to have a standard profile. But as it is a Computer GPO, I can't filter it by groups or users. I can't even use AppSense to deploy it as it can only have conditions determined for the computer object. This seems a bit insane - I can set the TS profile for users, but only on a machine basis? The only thing I can think of to work around is to run a user logon script that runs tsprof to change their profile setting to the mandatory if they are in a certain group. But that seems a little bit backward to me, I was hoping to handle this via a GPO. Am I missing something glaringly obvious here? TIA, JRR On 9 February 2011 19:43, Rankin, James R <[email protected]<mailto:[email protected]>> wrote: I think I will find that the GPO wins when I do some more testing tomorrow. The fact that it is a computer setting had my brain all at sea. Typed frustratingly slowly on my BlackBerry(r) wireless device ________________________________ From: Miller Bonnie L. <[email protected]<mailto:[email protected]>> Date: Wed, 9 Feb 2011 11:20:34 -0800 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: RE: Quick Terminal Services Profile question When someone here added this via GPO (also using loopback) it immediately overrode what was in AD for us, and had to be turned off. Was making a second TS Roaming profile for every TS user on our server. From: Sean Martin [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, February 09, 2011 8:16 AM To: NT System Admin Issues Subject: Re: Quick Terminal Services Profile question We're migrating to a GPO based roaming profile environment and my testing has shown the opposite. The GPO appears to override. However, that may be due to another policy configured for loopback. - Sean On Wed, Feb 9, 2011 at 3:49 AM, James Rankin <[email protected]<mailto:[email protected]>> wrote: Does anyone know, offhand, if the Terminal Services Profile set in AD overrides a Terminal Services Profile set via GPO? My testing suggests that it does - I just am looking for a little bit of clarification. My Google-powers appear drained today. TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
