"Smokey Grindle" <nospam@dontspamme.com> wrote in message
news:enFy8bZsGHA.1192@TK2MSFTNGP04.phx.gbl...
> This is a wierd one... We have our workstations set up with a certain
> permission set and its worked fine to this point, now we also have
> terminal servers which need to be locked down MUCH more then the
> workstations, but we dont want those lockdowns to apply to the normal
> workstations.. (stuff like the shutdown item on start and such is hidden
> in TS, but not in normal workstations) this is fine and all, the GP's
> exist, the OUs are created, the Terminal servers are in a seperate OU with
> inheritance turned off as to not inherit lower level GPO's..
>
> the problem comes in this though, the users who are going to use this are
> the same users for the workstations... but I cant apply the GP to their
> "Employees" OU because it would lock down their workstations also, is
> there a way to apply a GP to an OU only if they are logged into a specific
> machine? Say apply the TS group policy only if they are logged into a
> terminal server? I tried to put the User settings at the TS OU level but
> they didnt apply, so I put them at the employees OU and they applied fine
> to the Terminal servers but ALSO the workstations... which is not
> wanted... any ideas on how to handle this?
>

"Anthony" <anthony.spam@spammedout.com> wrote in message
news:uyRLN4ZsGHA.1192@TK2MSFTNGP04.phx.gbl...
> Create the policy in the OU of the terminal servers. Under the
> ComputerConfiguration, tell the computers to ignore other user policies
> and apply this one to users: Computer Configuration/ Administrative
> Templates/ System/ Group Policy: User Group Policy loopback processing
> mode, Enabled. Set the policies you want in the User Configuration part of
> the same policy.
> You can select loopback to replace the user policies from the user's OU,
> or to merge with them.
> If you are using roaming profiles, make sure the user has a separate
> terminal services roaming profile. A policy applied and then removed is
> not the same as a policy not applied.
> Anthony
>
>
>
> "Smokey Grindle" <nospam@dontspamme.com> wrote in message
> news:enFy8bZsGHA.1192@TK2MSFTNGP04.phx.gbl...
>> This is a wierd one... We have our workstations set up with a certain
>> permission set and its worked fine to this point, now we also have
>> terminal servers which need to be locked down MUCH more then the
>> workstations, but we dont want those lockdowns to apply to the normal
>> workstations.. (stuff like the shutdown item on start and such is hidden
>> in TS, but not in normal workstations) this is fine and all, the GP's
>> exist, the OUs are created, the Terminal servers are in a seperate OU
>> with inheritance turned off as to not inherit lower level GPO's..
>>
>> the problem comes in this though, the users who are going to use this are
>> the same users for the workstations... but I cant apply the GP to their
>> "Employees" OU because it would lock down their workstations also, is
>> there a way to apply a GP to an OU only if they are logged into a
>> specific machine? Say apply the TS group policy only if they are logged
>> into a terminal server? I tried to put the User settings at the TS OU
>> level but they didnt apply, so I put them at the employees OU and they
>> applied fine to the Terminal servers but ALSO the workstations... which
>> is not wanted... any ideas on how to handle this?
>>
>
>

"Anthony" <anthony.spam@spammedout.com> wrote in message
news:uyRLN4ZsGHA.1192@TK2MSFTNGP04.phx.gbl...
> Create the policy in the OU of the terminal servers. Under the
> ComputerConfiguration, tell the computers to ignore other user policies
> and apply this one to users: Computer Configuration/ Administrative
> Templates/ System/ Group Policy: User Group Policy loopback processing
> mode, Enabled. Set the policies you want in the User Configuration part of
> the same policy.
> You can select loopback to replace the user policies from the user's OU,
> or to merge with them.
> If you are using roaming profiles, make sure the user has a separate
> terminal services roaming profile. A policy applied and then removed is
> not the same as a policy not applied.
> Anthony
>
>
>
> "Smokey Grindle" <nospam@dontspamme.com> wrote in message
> news:enFy8bZsGHA.1192@TK2MSFTNGP04.phx.gbl...
>> This is a wierd one... We have our workstations set up with a certain
>> permission set and its worked fine to this point, now we also have
>> terminal servers which need to be locked down MUCH more then the
>> workstations, but we dont want those lockdowns to apply to the normal
>> workstations.. (stuff like the shutdown item on start and such is hidden
>> in TS, but not in normal workstations) this is fine and all, the GP's
>> exist, the OUs are created, the Terminal servers are in a seperate OU
>> with inheritance turned off as to not inherit lower level GPO's..
>>
>> the problem comes in this though, the users who are going to use this are
>> the same users for the workstations... but I cant apply the GP to their
>> "Employees" OU because it would lock down their workstations also, is
>> there a way to apply a GP to an OU only if they are logged into a
>> specific machine? Say apply the TS group policy only if they are logged
>> into a terminal server? I tried to put the User settings at the TS OU
>> level but they didnt apply, so I put them at the employees OU and they
>> applied fine to the Terminal servers but ALSO the workstations... which
>> is not wanted... any ideas on how to handle this?
>>
>
>