Scenario 2: Filtering Administrators from Terminal Services Group Policies

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Scenario 1 documented a procedure to administer Group Policy in order to configure all RDC clients to behave the same way on user logon. This creates a problem for administrators when the need arises to log on to a terminal server for remote administration. Domain administrators may not want Group Policy to configure their RDC client during remote administration, due to limitations that may be imposed by the Group Policy.

There are a number of ways to apply security filtering to exempt domain administrators from Group Policy application. This scenario presents one approach to applying security filtering to the User Settings for Terminal Services Group Policy object (GPO) from Scenario 1. The net effect of this scenario is to exempt domain administrators from having a specific desktop applied to them on logon through an RDC client.

Filtering application of a Group Policy object (GPO)

To perform the steps in this scenario, you must have privileges delegated to you to create, link, and edit GPOs for a specific OU.

This scenario assumes you have previously performed all the steps in Scenario 1: Administering Group Policy to Provide a Consistent Terminal Services Desktop, including creating the loopback processing and user policy settings for Terminal Services GPO.

This scenario will show you how to use security filtering to limit application of the User Settings for Terminal Services GPO to the user domain group when logging on to terminal server. The user domain group is the original group created to add Terminal Services users to the Remote Desktop Users group. The assumption is that no domain administrator has been added to the user domain group. By limiting the application of the user policy settings for the User Settings for Terminal Services GPO to the user domain group, you will have filtered out application to all domain administrators.

To limit application of the user policy settings for Terminal Services GPO to the user domain group

  1. To open Group Policy Management Console, click Start, click Run, and then type GPMC.msc.

  2. In the console tree, double-click Group Policy Objects to expand this folder displaying the GPOs for this domain.

  3. Click the User Settings for Terminal Services GPO.

  4. In the results pane, on the Scope tab, click Add.

  5. In the Enter the object name to select box, type the name of the user domain group that you previously added to the Remote Desktop Users group. Click OK. GPMC will add the read permissions and "Apply Group Policy" permissions by default.

  6. Click Authenticated Users.

  7. Click Remove to not apply the User Settings for Terminal Services GPO to all other users, such as members of the Domain Administrators group.

Note

The user domain group is the original group created to add Terminal Services users to the Remote Desktop Users group. Do not add domain administrators to this group.