Since Loopback GPO are often created to provide a severely locked down user environment, it’s important that the account(s) used to manage the terminal servers are not affected by the policy settings. This can be accomplished by editing the security on the GPO and enabling “Deny Apply Policy” for these accounts, so when the user logs on the locked down environment will not apply. One should also enable the “Apply Group Policy” setting for the Terminal Server Computer Objects, or a security group of which they’re a member. Once we’ve created our Terminal Servers OU we need to create a Group Policy Object (GPO) to manage these servers that will be placed in this OU. It’s worth reiterating that only the Terminal Server Computer Objects will be placed in this OU, as the location of the User Account Objects is irrelevant when using Loopback Policy Processing. To begin, we start with the Active Directory Users and Computers MMC where we want to add an OU to hold our terminal servers. If one works for a large organization, the IT Department’s duties have likely been divided like a pie, so the people managing the terminal servers may have no access to management of Active Directory or Group Policy. If you’re lucky, the Active Directory people will concede to providing the Terminal Server Admins with an Organization Unit (OU) that they can administer. If not, you’re stuck using local policies, or getting the Active Directory People to apply the settings you want, either of which can be tricky in a large environment Luckily Group Policy has a feature called Loopback Policy Processing that addresses the need to apply specific settings to users based not on their user account’s location in Active Directory, but rather on the location of the Terminal Server Computer Object. This allows administrators to provide a locked down environment when users log on to these specific machines, without affecting the settings on their client machine. Windows Terminal Servers play a special role in each environment. Technically they’re servers, but they’re used as workstations in that users log on to these machines to run end user applications.
0 kommentar(er)
