Results 1 to 4 of 4

Thread: Group Policy Local drives

  1. #1
    Daniel Guest

    Group Policy Local drives

    Ok, here is my problem.

    We have users who log into a terminal server to do there normal daily
    duties. We have two ways of people logging into the terminal server. One
    way being the user logs into there normal desktop and then double clicking
    the shortcut for remote desktop. The other way is a user booting from a CD
    that I have put together. These computers do NOT have hard drives in them
    which means "no local drive access".
    With the computers that double click on the Remote Desktop icon, I want them
    to be able to use their local disk drives. As you check local disk drives
    under the options in Remote Desktop settings, this setting does not work
    since I have block access using group policy because of my " CD " users.

    Is there a way two have users who are using the Remote Desktop shortcut to
    use their local disk drives and still be able to prevent users from accessing
    the Servers local disk drives?

  2. #2
    bsweeney1977 Guest

    RE: Group Policy Local drives

    Sure. You could use diametric policies and security filtering...

    1. Create a GPO that configures RDP for your regular computer users. We'll
    call it "RDPForWorkstationUsers"

    2. Create a security group called "WorkstationUsers".

    3. Using the GPMC, configure security filtering for the GPO so that the
    policy only applies to users in the "WorkstationUsers" security group.

    4. Create a GPO that configures RDP for your regular computer users. We'll
    call it "RDPForCDUsers"

    5. Create a security group called "CDUsers".

    6. Using the GPMC, configure security filtering for the GPO so that the
    policy only applies to users in the "WorkstationUsers" security group.

    7. Add each user to the appropriate group.

    There, you're done. When members of the "WorkstationUsers" group sign in,
    they will be affected by the "RDPForWorkstationUsers" policy, and when
    members of the "CDUsers" group sign in then they will be affected by the
    "RDPForCDUsers" policy.

    NOTE 1: Keep in mind that if a user is not a part of either group then
    neither policy will apply.

    NOTE 2: If a user is part of both groups then its a roll of the dice, since
    whichever policy is processed LAST will be the policy used. You can get
    around this by picking one of the two policies in the GPMC and setting it to
    ENFORCE. This forces the policy to be processed LAST.

    Hope this helps.

    "Daniel" wrote:

    > Ok, here is my problem.
    >
    > We have users who log into a terminal server to do there normal daily
    > duties. We have two ways of people logging into the terminal server. One
    > way being the user logs into there normal desktop and then double clicking
    > the shortcut for remote desktop. The other way is a user booting from a CD
    > that I have put together. These computers do NOT have hard drives in them
    > which means "no local drive access".
    > With the computers that double click on the Remote Desktop icon, I want them
    > to be able to use their local disk drives. As you check local disk drives
    > under the options in Remote Desktop settings, this setting does not work
    > since I have block access using group policy because of my " CD " users.
    >
    > Is there a way two have users who are using the Remote Desktop shortcut to
    > use their local disk drives and still be able to prevent users from accessing
    > the Servers local disk drives?


  3. #3
    Daniel Guest

    RE: Group Policy Local drives

    Thanks for your response but one thing comes to mind. The terminal server
    needs to be locked down to the point that users can't hardly change anything.
    If I add the user to a group and when they log into there normal computer,
    then this policy will apply to them. Is this correct? The users can have
    full access (power user permissions) to there normal desktop just not on the
    Terminal Server. In fact, they use the same credentials for both. Will this
    conflict with each other?

    Thanks again.

    "bsweeney1977" wrote:

    > Sure. You could use diametric policies and security filtering...
    >
    > 1. Create a GPO that configures RDP for your regular computer users. We'll
    > call it "RDPForWorkstationUsers"
    >
    > 2. Create a security group called "WorkstationUsers".
    >
    > 3. Using the GPMC, configure security filtering for the GPO so that the
    > policy only applies to users in the "WorkstationUsers" security group.
    >
    > 4. Create a GPO that configures RDP for your regular computer users. We'll
    > call it "RDPForCDUsers"
    >
    > 5. Create a security group called "CDUsers".
    >
    > 6. Using the GPMC, configure security filtering for the GPO so that the
    > policy only applies to users in the "WorkstationUsers" security group.
    >
    > 7. Add each user to the appropriate group.
    >
    > There, you're done. When members of the "WorkstationUsers" group sign in,
    > they will be affected by the "RDPForWorkstationUsers" policy, and when
    > members of the "CDUsers" group sign in then they will be affected by the
    > "RDPForCDUsers" policy.
    >
    > NOTE 1: Keep in mind that if a user is not a part of either group then
    > neither policy will apply.
    >
    > NOTE 2: If a user is part of both groups then its a roll of the dice, since
    > whichever policy is processed LAST will be the policy used. You can get
    > around this by picking one of the two policies in the GPMC and setting it to
    > ENFORCE. This forces the policy to be processed LAST.
    >
    > Hope this helps.
    >
    > "Daniel" wrote:
    >
    > > Ok, here is my problem.
    > >
    > > We have users who log into a terminal server to do there normal daily
    > > duties. We have two ways of people logging into the terminal server. One
    > > way being the user logs into there normal desktop and then double clicking
    > > the shortcut for remote desktop. The other way is a user booting from a CD
    > > that I have put together. These computers do NOT have hard drives in them
    > > which means "no local drive access".
    > > With the computers that double click on the Remote Desktop icon, I want them
    > > to be able to use their local disk drives. As you check local disk drives
    > > under the options in Remote Desktop settings, this setting does not work
    > > since I have block access using group policy because of my " CD " users.
    > >
    > > Is there a way two have users who are using the Remote Desktop shortcut to
    > > use their local disk drives and still be able to prevent users from accessing
    > > the Servers local disk drives?


  4. #4
    Bryan Sweeney Guest

    RE: Group Policy Local drives

    Okay. I had to think about that for a minute. For your situation, I would
    take a slightly different approach than I offered before, but we're still
    going to create two policies and two groups. I'll change the policy names to
    keep it clear.

    1. Create a policy called "TSLockDownWS "
    2. Create a group called "WorkstationUsers"
    3. Configure security filtering so that "TSLockDownWS" only applies to
    members of "WorkstationUsers"

    4. Create a policy called "TSLockDownCD "
    5. Create a group called "CDUsers"
    6. Configure security filtering so that "TSLockDownCD" only applies to
    members of "CDUsers"

    Now here is where we diverge from the first plan...

    7. Make sure that your terminal server is in an OU isolated from your other
    servers and workstations (should be isolated from workstations anyway as a
    good rule of thumb)
    8. Link BOTH policies to the OU that contains your terminal server.
    9. Configure "TSLockDownWS" so that it locks the server down the way you
    want it to for both Computer and User settings.
    10. Configure "TSLockDownCD" identically to "TSLockDownWS" except where we
    want RDP to map the drives differently.

    NOTE: To save time, you can Backup the first one you configure from the
    GPMC, and then Restore From Backup over the unconfigured policy. This will
    ensure that the policies are identical.

    11. Edit both policies and apply Loopback Policy Processing in Replace mode
    as described in http://support.microsoft.com/kb/231287

    Number 11 is the trick to it. The Loopback Policy Processing basically
    forces Group Policy to ignore WHO you are. It only cares about WHICH
    COMPUTER you log into, then applies that policy and either overwrites or
    merges rules with any other policies that would normally apply to you. This
    way we get one behavior for Workstation Users who log into the terminal
    server, another behavior when Workstation Users log into their workstations,
    and yet another behavior for CD Users that log into the same terminal server.
    As an added bonus, by excluding yourself from both groups, you don't have to
    worry about your terminal server sessions being locked down at all.

    I think that covers all your bases.

    "Daniel" wrote:

    > Thanks for your response but one thing comes to mind. The terminal server
    > needs to be locked down to the point that users can't hardly change anything.
    > If I add the user to a group and when they log into there normal computer,
    > then this policy will apply to them. Is this correct? The users can have
    > full access (power user permissions) to there normal desktop just not on the
    > Terminal Server. In fact, they use the same credentials for both. Will this
    > conflict with each other?
    >
    > Thanks again.
    >
    > "bsweeney1977" wrote:
    >
    > > Sure. You could use diametric policies and security filtering...
    > >
    > > 1. Create a GPO that configures RDP for your regular computer users. We'll
    > > call it "RDPForWorkstationUsers"
    > >
    > > 2. Create a security group called "WorkstationUsers".
    > >
    > > 3. Using the GPMC, configure security filtering for the GPO so that the
    > > policy only applies to users in the "WorkstationUsers" security group.
    > >
    > > 4. Create a GPO that configures RDP for your regular computer users. We'll
    > > call it "RDPForCDUsers"
    > >
    > > 5. Create a security group called "CDUsers".
    > >
    > > 6. Using the GPMC, configure security filtering for the GPO so that the
    > > policy only applies to users in the "WorkstationUsers" security group.
    > >
    > > 7. Add each user to the appropriate group.
    > >
    > > There, you're done. When members of the "WorkstationUsers" group sign in,
    > > they will be affected by the "RDPForWorkstationUsers" policy, and when
    > > members of the "CDUsers" group sign in then they will be affected by the
    > > "RDPForCDUsers" policy.
    > >
    > > NOTE 1: Keep in mind that if a user is not a part of either group then
    > > neither policy will apply.
    > >
    > > NOTE 2: If a user is part of both groups then its a roll of the dice, since
    > > whichever policy is processed LAST will be the policy used. You can get
    > > around this by picking one of the two policies in the GPMC and setting it to
    > > ENFORCE. This forces the policy to be processed LAST.
    > >
    > > Hope this helps.
    > >
    > > "Daniel" wrote:
    > >
    > > > Ok, here is my problem.
    > > >
    > > > We have users who log into a terminal server to do there normal daily
    > > > duties. We have two ways of people logging into the terminal server. One
    > > > way being the user logs into there normal desktop and then double clicking
    > > > the shortcut for remote desktop. The other way is a user booting from a CD
    > > > that I have put together. These computers do NOT have hard drives in them
    > > > which means "no local drive access".
    > > > With the computers that double click on the Remote Desktop icon, I want them
    > > > to be able to use their local disk drives. As you check local disk drives
    > > > under the options in Remote Desktop settings, this setting does not work
    > > > since I have block access using group policy because of my " CD " users.
    > > >
    > > > Is there a way two have users who are using the Remote Desktop shortcut to
    > > > use their local disk drives and still be able to prevent users from accessing
    > > > the Servers local disk drives?


Similar Threads

  1. Replies: 2
    Last Post: 17-12-2013, 08:10 PM
  2. Help with mapped drives - Group policy
    By Victor Kam in forum Active Directory
    Replies: 4
    Last Post: 01-02-2012, 01:04 AM
  3. Using local group policy to override domain group policy
    By Nickason in forum Active Directory
    Replies: 3
    Last Post: 28-09-2011, 04:20 AM
  4. Replies: 3
    Last Post: 07-10-2009, 02:12 PM
  5. Group Policy Object Editor on Local Computer
    By Bill MacDonald in forum Vista Help
    Replies: 5
    Last Post: 02-05-2007, 07:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •