Locking Down Computers with GPO not working

Locking Down Computers with GPO not working

Post by compsosin » Tue, 04 Mar 2008 23:12:41


We have a Windows 2003 Domain Controller in a test lab and we are
having a problem trying to apply a policy to an XP Pro computer so
that we can eventually identically lockdown the local desktops for
(10) other PCs as much as possible. What we want to do is apply a GPO
that controls, for starters, what is available on the Start Menu no
matter who logs into the XP systems(except Domain Admins).

1. We created an OU and called it 'LDClientPCs'. We created a GPO and
linked it to this OU. We moved the XP Pro computer from the
'Computers' container into the OU. We edited the GP, under the User
Configuration>Start Menu> and for a test tried to remove the Help &
Search from the Start Menu.

2. We ran gpupdate/force on the DC and the XP Pro computer and logged
into the domain but the Policy did not apply. We tried various
Security filtering for the TestUser account and the XP computer. We
left "authenticated users' in there.

3. If we create an OU and move the User Account (TestUser) into it,
create/apply similar policy it works. But all we have read is that we
should not have to move the User Accounts into an OU, just the
computer accounts.

I think we are confused on application of User Configuration &
Computer Configuration settings and how to apply them...

I this same test lab, we have the same users subsequently connecting
to a Terminal Server taht is in its own OU and the lockdown is working
for that fine. We now want to do similar for the local desktops.

Thanks
 
 
 

Locking Down Computers with GPO not working

Post by Florian Fr » Tue, 04 Mar 2008 23:24:26

Howdie!

XXXX@XXXXX.COM schrieb:

There's the "problem". The default rules of Group Policy are:
- computer objects will only apply Computer Configuration settings
- user objects will only apply User Configuration setting.

So when you're having an OU with a policy applied, that contains user
config settings, and you put computers into that OU, the computers will
not apply the setting. They simply "do not look" at the user config
settings you configure.

You could now go and move the user objects into that OU but that is
probably not what you want - since the restrictions would then apply to
the users no matter where they log on.

For those scenarios, there's something called the "loopback processing"
mode out there, which issomething you can also use for Terminal Services
environments. Loopback basically makes the computer objects look at the
user configuration settings of a GP - overwriting or merging the
settings with the ones that are linked for the real user. Loopback
should be what you'Re searching for:

http://www.yqcomputer.com/
http://www.yqcomputer.com/

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.yqcomputer.com/
Use a newsreader! http://www.yqcomputer.com/

 
 
 

Locking Down Computers with GPO not working

Post by compsosin » Wed, 05 Mar 2008 00:00:47

n Mar 3, 9:24m, "Florian Frommherz [MVP]"
< XXXX@XXXXX.COM > wrote:

Ok, thanks for replying and we had already tried enabling loopback
(replace mode) on the GP for the OU that contains the computer
accounts. We are re-reading the links you sent to see if we are
misunderstanding.

Let me explain what we want to be able to do and please let us know if
it is even possible.

We have a Windows 2003 Domain Controller and a Windows 2003 Terminal
server as a member server. There are (10) XP - based computers that
are domain members and currently in the "Computers" container in AD,
named TC1, TC2, TC3, etc. We have (10) generic User accounts (TU1,
TU2, etc), one for each TC.

1. When the Users login to the domain we want them presented with the
same, restricted local desktops as they will not be using their local
desktops to do anything. Their real goal is to use the Terminal
Server, but if they close the connection to the TS, then they have a
local desktop which is what we want to restrict. For instance, no 'My
Computer' icon, no 'Run' command -basically everything off the start
Menu and desktop except a Remote Desktop Connection icon to reconnect
to the TS.

2. We currently have an OU with the Terminal Server in it, have
created a GP for it, and when the Users connect, they have the same TS
desktop. Under the Security tab for the GPO we have the TS machine
added and the Testusers group (of which TU1 is a member of) with the
read/apply group policy.

So what are we missing? I think there is an inheritance conflict since
the TU1 user is added to the Security filtering of the TS GPO???

We thought we could just move the TC1 computer account into its own
OU, enable loopback -replace and configure the User Configuration
settings like we did for the TS....

 
 
 

Locking Down Computers with GPO not working

Post by Florian Fr » Wed, 05 Mar 2008 00:18:40

Howdie!

I must admin I don't understand your approach under 2. - but will try to
write some words and maybe another approach to what you write under 1.


If those TC-users only have the restricted desktop and will never have a
"normal" desktop machine in the domain, you could go with this:

- Put those users into a OU and link a policy with all desktop
restrictions to that OU. Like this, all desktops they log on will be
affected.

- For the Terminal Servers OU, link another Group Policy to that OU with
other restrictions (less or more - what you like) and choose loopback
with "Replace" mode. The TS-OU-GP-settings will replace the ones you
have for the desktop that way.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.yqcomputer.com/
Use a newsreader! http://www.yqcomputer.com/
 
 
 

Locking Down Computers with GPO not working

Post by compsosin » Wed, 05 Mar 2008 00:43:25

On Mar 3, 10:18m, "Florian Frommherz [MVP]"


Ok..thank you. This is very helpful.