Group Policy Local drives

Printable View

22-04-2008
Daniel

Group Policy Local drives

Ok, here is my problem.

We have users who log into a terminal server to do there normal daily
duties. We have two ways of people logging into the terminal server. One
way being the user logs into there normal desktop and then double clicking
the shortcut for remote desktop. The other way is a user booting from a CD
that I have put together. These computers do NOT have hard drives in them
which means "no local drive access".
With the computers that double click on the Remote Desktop icon, I want them
to be able to use their local disk drives. As you check local disk drives
under the options in Remote Desktop settings, this setting does not work
since I have block access using group policy because of my " CD " users.

Is there a way two have users who are using the Remote Desktop shortcut to
use their local disk drives and still be able to prevent users from accessing
the Servers local disk drives?
23-04-2008
bsweeney1977

RE: Group Policy Local drives

Sure. You could use diametric policies and security filtering...

1. Create a GPO that configures RDP for your regular computer users. We'll
call it "RDPForWorkstationUsers"

2. Create a security group called "WorkstationUsers".

3. Using the GPMC, configure security filtering for the GPO so that the
policy only applies to users in the "WorkstationUsers" security group.

4. Create a GPO that configures RDP for your regular computer users. We'll
call it "RDPForCDUsers"

5. Create a security group called "CDUsers".

6. Using the GPMC, configure security filtering for the GPO so that the
policy only applies to users in the "WorkstationUsers" security group.

7. Add each user to the appropriate group.

There, you're done. When members of the "WorkstationUsers" group sign in,
they will be affected by the "RDPForWorkstationUsers" policy, and when
members of the "CDUsers" group sign in then they will be affected by the
"RDPForCDUsers" policy.

NOTE 1: Keep in mind that if a user is not a part of either group then
neither policy will apply.

NOTE 2: If a user is part of both groups then its a roll of the dice, since
whichever policy is processed LAST will be the policy used. You can get
around this by picking one of the two policies in the GPMC and setting it to
ENFORCE. This forces the policy to be processed LAST.

Hope this helps.

"Daniel" wrote:

> Ok, here is my problem.
>
> We have users who log into a terminal server to do there normal daily
> duties. We have two ways of people logging into the terminal server. One
> way being the user logs into there normal desktop and then double clicking
> the shortcut for remote desktop. The other way is a user booting from a CD
> that I have put together. These computers do NOT have hard drives in them
> which means "no local drive access".
> With the computers that double click on the Remote Desktop icon, I want them
> to be able to use their local disk drives. As you check local disk drives
> under the options in Remote Desktop settings, this setting does not work
> since I have block access using group policy because of my " CD " users.
>
> Is there a way two have users who are using the Remote Desktop shortcut to
> use their local disk drives and still be able to prevent users from accessing
> the Servers local disk drives?
23-04-2008
Daniel

RE: Group Policy Local drives

Thanks for your response but one thing comes to mind. The terminal server
needs to be locked down to the point that users can't hardly change anything.
If I add the user to a group and when they log into there normal computer,
then this policy will apply to them. Is this correct? The users can have
full access (power user permissions) to there normal desktop just not on the
Terminal Server. In fact, they use the same credentials for both. Will this
conflict with each other?

Thanks again.

"bsweeney1977" wrote:

> Sure. You could use diametric policies and security filtering...
>
> 1. Create a GPO that configures RDP for your regular computer users. We'll
> call it "RDPForWorkstationUsers"
>
> 2. Create a security group called "WorkstationUsers".
>
> 3. Using the GPMC, configure security filtering for the GPO so that the
> policy only applies to users in the "WorkstationUsers" security group.
>
> 4. Create a GPO that configures RDP for your regular computer users. We'll
> call it "RDPForCDUsers"
>
> 5. Create a security group called "CDUsers".
>
> 6. Using the GPMC, configure security filtering for the GPO so that the
> policy only applies to users in the "WorkstationUsers" security group.
>
> 7. Add each user to the appropriate group.
>
> There, you're done. When members of the "WorkstationUsers" group sign in,
> they will be affected by the "RDPForWorkstationUsers" policy, and when
> members of the "CDUsers" group sign in then they will be affected by the
> "RDPForCDUsers" policy.
>
> NOTE 1: Keep in mind that if a user is not a part of either group then
> neither policy will apply.
>
> NOTE 2: If a user is part of both groups then its a roll of the dice, since
> whichever policy is processed LAST will be the policy used. You can get
> around this by picking one of the two policies in the GPMC and setting it to
> ENFORCE. This forces the policy to be processed LAST.
>
> Hope this helps.
>
> "Daniel" wrote:
>
> > Ok, here is my problem.
> >
> > We have users who log into a terminal server to do there normal daily
> > duties. We have two ways of people logging into the terminal server. One
> > way being the user logs into there normal desktop and then double clicking
> > the shortcut for remote desktop. The other way is a user booting from a CD
> > that I have put together. These computers do NOT have hard drives in them
> > which means "no local drive access".
> > With the computers that double click on the Remote Desktop icon, I want them
> > to be able to use their local disk drives. As you check local disk drives
> > under the options in Remote Desktop settings, this setting does not work
> > since I have block access using group policy because of my " CD " users.
> >
> > Is there a way two have users who are using the Remote Desktop shortcut to
> > use their local disk drives and still be able to prevent users from accessing
> > the Servers local disk drives?
24-04-2008
Bryan Sweeney

RE: Group Policy Local drives

Okay. I had to think about that for a minute. For your situation, I would
take a slightly different approach than I offered before, but we're still
going to create two policies and two groups. I'll change the policy names to
keep it clear.

1. Create a policy called "TSLockDownWS "
2. Create a group called "WorkstationUsers"
3. Configure security filtering so that "TSLockDownWS" only applies to
members of "WorkstationUsers"

4. Create a policy called "TSLockDownCD "
5. Create a group called "CDUsers"
6. Configure security filtering so that "TSLockDownCD" only applies to
members of "CDUsers"

Now here is where we diverge from the first plan...

7. Make sure that your terminal server is in an OU isolated from your other
servers and workstations (should be isolated from workstations anyway as a
good rule of thumb)
8. Link BOTH policies to the OU that contains your terminal server.
9. Configure "TSLockDownWS" so that it locks the server down the way you
want it to for both Computer and User settings.
10. Configure "TSLockDownCD" identically to "TSLockDownWS" except where we
want RDP to map the drives differently.

NOTE: To save time, you can Backup the first one you configure from the
GPMC, and then Restore From Backup over the unconfigured policy. This will
ensure that the policies are identical.

11. Edit both policies and apply Loopback Policy Processing in Replace mode
as described in http://support.microsoft.com/kb/231287

Number 11 is the trick to it. The Loopback Policy Processing basically
forces Group Policy to ignore WHO you are. It only cares about WHICH
COMPUTER you log into, then applies that policy and either overwrites or
merges rules with any other policies that would normally apply to you. This
way we get one behavior for Workstation Users who log into the terminal
server, another behavior when Workstation Users log into their workstations,
and yet another behavior for CD Users that log into the same terminal server.
As an added bonus, by excluding yourself from both groups, you don't have to
worry about your terminal server sessions being locked down at all.

I think that covers all your bases.

"Daniel" wrote:

> Thanks for your response but one thing comes to mind. The terminal server
> needs to be locked down to the point that users can't hardly change anything.
> If I add the user to a group and when they log into there normal computer,
> then this policy will apply to them. Is this correct? The users can have
> full access (power user permissions) to there normal desktop just not on the
> Terminal Server. In fact, they use the same credentials for both. Will this
> conflict with each other?
>
> Thanks again.
>
> "bsweeney1977" wrote:
>
> > Sure. You could use diametric policies and security filtering...
> >
> > 1. Create a GPO that configures RDP for your regular computer users. We'll
> > call it "RDPForWorkstationUsers"
> >
> > 2. Create a security group called "WorkstationUsers".
> >
> > 3. Using the GPMC, configure security filtering for the GPO so that the
> > policy only applies to users in the "WorkstationUsers" security group.
> >
> > 4. Create a GPO that configures RDP for your regular computer users. We'll
> > call it "RDPForCDUsers"
> >
> > 5. Create a security group called "CDUsers".
> >
> > 6. Using the GPMC, configure security filtering for the GPO so that the
> > policy only applies to users in the "WorkstationUsers" security group.
> >
> > 7. Add each user to the appropriate group.
> >
> > There, you're done. When members of the "WorkstationUsers" group sign in,
> > they will be affected by the "RDPForWorkstationUsers" policy, and when
> > members of the "CDUsers" group sign in then they will be affected by the
> > "RDPForCDUsers" policy.
> >
> > NOTE 1: Keep in mind that if a user is not a part of either group then
> > neither policy will apply.
> >
> > NOTE 2: If a user is part of both groups then its a roll of the dice, since
> > whichever policy is processed LAST will be the policy used. You can get
> > around this by picking one of the two policies in the GPMC and setting it to
> > ENFORCE. This forces the policy to be processed LAST.
> >
> > Hope this helps.
> >
> > "Daniel" wrote:
> >
> > > Ok, here is my problem.
> > >
> > > We have users who log into a terminal server to do there normal daily
> > > duties. We have two ways of people logging into the terminal server. One
> > > way being the user logs into there normal desktop and then double clicking
> > > the shortcut for remote desktop. The other way is a user booting from a CD
> > > that I have put together. These computers do NOT have hard drives in them
> > > which means "no local drive access".
> > > With the computers that double click on the Remote Desktop icon, I want them
> > > to be able to use their local disk drives. As you check local disk drives
> > > under the options in Remote Desktop settings, this setting does not work
> > > since I have block access using group policy because of my " CD " users.
> > >
> > > Is there a way two have users who are using the Remote Desktop shortcut to
> > > use their local disk drives and still be able to prevent users from accessing
> > > the Servers local disk drives?