Best practice Terminal Services Group Policy AD

Similar Messages

• Allow log on through Remote Desktop Services Group Policy for Domain Controllers

  Hello,
  We want to allow our Helpdesk Operators to be able to connect to Domain Controllers with the Remote Desktop Services. This is by default not allowed but according to many sites, it should be able to configure by using a Group Policy.
  We made a new Group Policy with the setting 'Allow log on through Remote Desktop Services' and 'Allow log on locally' (as an extra for testing) and applied Security Filtering to only use it for a specific Security Group. Our test user is a member of this
  security group and should be able to access the Domain Controllers now. However this isn't working.
  The error message we receive upon trying to connect:
  The connection was denied because the user account is not authorized for remote login.
  For troubleshooting, we also applied the Security Group for that setting in the Default Domain Controllers Policy but that doesn't seem to work either. We want to avoid customization on our Default Domain Controllers Policy but this was just a test case
  for solving our problem.
  What should we do to solve our problem?
  I hope to hear from you soon.
  Thanks in advance.

  Hi, I just found out what the problem was. This site helped me alot:
  http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
  In my case, I had the group added to the Allow Logon Through Remote Desktop Services but was not added to the Builtin\Remote Desktop Users group. After knowing this I made some changes to our situation and are now using the builtin\Remote Desktop Users group
  rather than a new self made Security Group. I also added the Remote Desktop Users to the Allow Logon Through Remote Desktop Service in the Default Domain Controllers Policy as this is not done by default. By default only the Domain Administrators are able
  to logon through remote desktop services.
  You do not need the 'Log on Locally' permission within the Group Policies.
  In short:
  Add the desired users/groups to the 'Builtin\Remote Desktop Users' security group.
  Add the 'Builtin\Remote Desktop Users' security group to the 'Allow Logon Through Remote Desktop Services' within the 'Default Domain Controllers Policy'.
  Thank you anyway for the fast reply.
  Have a nice day!

• Best Practices for Service Entry Sheet Approval

  Hi All
  Just like to get some opinion on best practices for external service management - particularly approval process for Service Entry Sheet.
  We have a 2 step approval process using workflow:
  1 Entry Sheet Created (blocked)
  2. Workflow to requisition creator to verify/unblock the Entry Sheet
  3. Workflow to Cost Object owner to approve the Entry Sheet.
  For high volume users (e.g. capital projects) this is cumbersome process - we looking to streamline but still maintain control.
  What do other leaders do in this area?  To me mass release seems to lack control, but perhaps by using a good release strategy we could provide a middle ground? 
  Any ideas or experiences would be greatly appreciated.
  thanks
  AC.

  Hi,
  You can have purchasing group (OME4) as department and link cost center to department (KS02). Use user exit for service entry sheet release and can have two characteristics for service entry sheet release, one is for value (CESSR- LWERT) and another one for department (CESSR-USRC1) .Have one release class for service entry sheet release & then add value characteristics (CESSR- LWERT) and department characteristics (CESSR-USRC1). Now you can design release strategies for service entry sheet based on department & value, so that SES will created and then will be released by users with release code based on department & value assigned to him/her.
  Regards,
  Biju K

• Best Practice - HCM service

  Hi,
      The ESS latest package was uploaded initially into the portal. This package consists of mostly the Webdynpro iviews.
      Later it was decided to use the Best practice, so it is uploaded. Now all the services provided in the Best practice is available in one common folder, except for the ESS. The iviews available in this Best practice are mostly the transaction iviews.
      My query is that, why the HCM (ESS) services are not there under the best practice folder? Is it due to the already uploaded ESS package? What should i do to avail the HCM services of the best practice?
  It's urgent. plz help. All useful answers will be rewarded.

  Thanks Bharathwaj for the reply. Here is the link.
  https://websmp104.sap-ag.de/swdc
  In the website "SAP Software Distribution Center" select the category "Download" -> "Installations & Upgrades" -> "Entry by Application Group" then select "SAP Best Practices" -> "SAP BP PORTALS".
  In this the EP V2.60 version was downloaded.

• Server 2012 Win 8.1 GPO Remote Registry Service & Group Policy Trace

  I'm trying to enable the Remote Registry Service via GPO (Computer > Preferences > Control Panel > Services).
  I set the following (and left the other config items at default):
  Startup: Automatic
  Service  name: RemoteRegistry
  Service action: Start service
  This only results in a message in the event log and a message when running "gpupdate /force" both saying
      "Windows failed to apply the Group Policy Services settings. Group Policy Services settings might have its own log file. Please click on the "More information" link."
  HA! When was the last time one of those links helped anyone?
  So I tried to enable "Computer > Policies > Administrative Templates > System > Group Policy > Logging and tracing > Configure Services preference logging and tracing" and set
  Event logging Informational, Warnings and Errors
  Tracing On
  User trace c:\Trace\User.log
  Computer trace c:\Trace\Computer.log
  Planning trace c:\Trace\Planning.log
  Maximum size of trace file (KB) 1024
  I made the C:\Trace folder.
  And NOTHING.
  So the GPO doesn't log anything meaningful to the Event Viewer (and tells you to look somewhere that says it can't help you), The same thing is in the "Operational" GPO log, Group Policy Result and GPRESULT /h <filename> give you the same
  meaningless poop.
  Is there any way to start the flippin' service with the GPO, and is there a way to get any kind of meaningful logging?

  Hi,
  >>
  Is there any way to start the flippin' service with the GPO, and is there a way to get any kind of meaningful logging?
  If we want to get verbose information about group policy processing, we can try to enable logging in the Gpsvc.log file.
  Regarding how to enable logging in the Gpsvc.log file, the following blog can be referred to for more information.
  How to enable GPO logging on windows 7 /2008 r2 ?
  http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx
  In addition, regarding group policy debug logging, the following article can be referred to for more information.
  Group Policy Debug Log Settings
  http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx
  Best regards,
  Frank Shen

• Missing IMG steps for Best Practice CRM Service.

  Dear SDN'ers,
  I am working for a client and we are now implementing CRM Service.
  In the Best Practice guide I found IMG step like
  3.3.3.4.     Defining Time Allocation Types,
  3.3.3.6     Defining Availability Template
  3.3.3.8     Defining Service Area
  etc.
  However I cannot find these corresponding transactions in SPRO. They all refer to the path Customer Relationship Management  Workforce Deployment  WFD Server  Business Settings for WFD Server  only In our system this path doesn't excist. It calls IMG transaction like WFM_001 but the system doesn't recognize this IMG activity.
  Please can anybody help me?
  Kind regards,
  Niels

  Hi,
  Have you carried out the prerequisite steps?
  Also chk this path in SPRO
  Customer Relationship Management>Transactions>Settings for Service Processes>Settings for Service Resource Planning>WFM Core-->Make Settings for the WFM Core.
  And also ensure that no RFC connection has been assigned to the WFM Core if you are using it as an add-on in SAP CRM.
  Regards,
  PePe

• ? Best practice -- Repare service purchase

  Hi Expert,
  Who could tell me the best practice for below scenario ?
  We want to send parts A to vendor for reparing.
  After reparing, the parts is still A in system .
  We want to create PO for this, but after goods receipt, we would like reparing fee booked on one Expense G/L , that means the value of parts A will not change.
  So how to create this PO ?
        How to issue parts A ?
        How to receipt parts A ?
        How to configure the account determination for repare fee to expense G/L ?
  Thanks and Regards
  Shubin

  Create PO with Item category L. give all required details....
  Also Under Service tab mention same  material as  "A" as BOM.
  Now do the stock transfer to subcontracting vendor in tcode MB1B with mvt 541..
  Now receive the stocks from vendor in MIGO with 101 .
  Re:How to configure the account determination for repare fee to expense G/L:  (Create seperate G/L account for this..take help of FI guy)
  Hope it helps

• Best practice for service account?

  Hello guys,
  May I ask what's the best practice to have and maintain a service account?
  For ConfigMgr, you may need to have a service account for e.g client install.
  An employee who run this service just depart, and we realize we don't have service account credential left to our knowlege.
  So let say we have to reset it, and reconfigure back the service account with new credential, what's the best practice to have this credential kept in safe and can be retrieved back for future use?
  Do you keep it in a secured email? Secured envelope? How you maintain it in a big organization.
  Please throw me some ideas. Thank you very much :)
  p/s: this issue may not restrict to ConfigMgr only, you may need service account for SQL, IIS and etc.
  ---Pat

  Hi,
  Dfferent customers use different solution, some use applications like this for instance,
  http://keepass.info/
  and save the database of password on a network share.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Best Practices Web Services - Complex Data Types

  Can someone provide some best practices documentation or info that for customers using CR against web services? Speciffically any information on complex data types such as  String[] or Address.
  Thanks
  Ian S

  And That's what I did.
  name.cfc is the component that has complex data types
  created.

• Chatting Best Practices with Large Groups

  We have a large group (125) people who are involved in a 4-hour training each month.  What best practices would you suggest for managing chatting with this large of group.  Perhaps layout options, polling options, any best practices would be appreciated.

  I would leave chat alone with a group that large. You can provide that functionality to have an open communication between participants and possibly presenters/hosts for quick exchanges, but don't rely on it for question and answer functionality. The Q & A pod will queue up all the questions that are asked in it and you (or other presenters/hosts) can answer them while keeping the answers associated with the question and have the ability to reply publicly or privately. All questions are asked privately and are not seen by other participants, so duplicate or inappropriate questions can be easily removed or ignored.
  Polling is also good to keep the responses in a controlled evironment.

• Best Practice Web Service Output Mapping (deep structure)

  Hi All,
  My current scenario is as follows:
  In my BPM I consume a Web Service which was created from a Function Module in the Backend.
  This Web Service has the same Data Types as the original BAPI.
  For instance a table containing return values (BAPIRET2).
  When the Web Service inside the process is executed I assume that my return table is filled.
  Based on that return table I want to decide what to do next using a gateway.
  What would be the best way to process the table in a gateway condition?
  The table may contain several entries so I guess a simple not() function does not suffice.
  I hope you do understand my problem here.
  Curiously waiting for your replies,
  Bastian

  Hi Bastian,
  the parallel for each loop feature will come with NW 7.2.
  You will have a new property pane at each activity (automated activity, human task, referenced subflow, and the embedded subflow which will also come with NW 7.1) where you can switch on the looping.
  If you do that, the activity will be started (in parallel) for each line item in a list of data from a data object in the context (the list can also be specified in the new property pane).
  At the end of each activity execution the result can be mapped via append into another DO from the context.
  Unfortunately, this feature is too extensive to be downported to 7.11
  Best regards,
  Oliver

• Best Practice for managing Groups and Users

  We want to create a Corporate Portal for the Department and it's Organizations. We want to have one Portal Public page as the main entry for all our users. When a user login, he will be re-direct to is Organization Portal page.
  I need to find a good document, a case study if possible, on how to define my Groups in OID to achieve this. I need a document that explain how to setup and manage Groups for a Corporate Portal.
  Thank you!

  Hi!
  The Portal Admin Guide gives a good overview about the groups administration.
  I don't know about case studies that address your problem.
  When you have different home pages for different groups you can administer this with the Portal Group Profile portlet in the admin section of Portal.
  cu
  Andreas

• Highly Required CRM 5.0 Best practices for CRM Service Module

  Dear all,
  I have been searching for CRM 5.0 version best practices in Internet quiete a long period, but could not find anywhere.
  currently SAP is providing only best practices for SAP CRM 2007 version.
  since most of configuration is differing because of Webclient Interface, I request you to refer a source from where I can get the CRM 5.0 Best Practices for Service module.
  Your suggestions and help will be highly appreciated.
  Best regards
  Raghu ram

  Hi Srini,
  <removed by moderator>
  Thank you & Best regards
  Raghu ram
  Edited by: Raghu Ram on Jul 16, 2009 6:09 AM
  Edited by: Raghu Ram on Jul 16, 2009 6:11 AM
  Moderator message please review the rules of engagement located here:
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/home/rulesofEngagement
  Edited by: Stephen Johannes on Jul 16, 2009 8:12 AM

• Group Policy Deployment Acrobat Standard XI Version 11

  I was able to successfully create a Windows 2008 R2 SP1 Group Policy that would be able to distribute the Adobe Reader Application using the Adobe Customization Wizard XI. I tried to use the same procedure from the Adobe Acrobat Standard 11 download from the adobe licensing site and was unable to get the Group Policy to work. The error message that I am getting is...
  The install of application Adobe Acrobat XI Standard 11.0 from policy  Deploy Adobe Acrobat 11 failed. The error was : %%1603
  This is the procedure that I created for deployment of Adobe Acrobat XI using Group Policy.
  How to create a group policy deployment of Adobe Acrobat XI
  Overview:
  This procedure covers the steps needed to create a group policy that will deploy the Adobe Acrobat installation.
  Requirements
  •    Windows 2008 Group Policy
  •    Adobe Acrobat Customization Wizard
       o    ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/CustWiz11000_en_US.exe
  •    Adobe Acrobat XI (Version 11)
       o    download from adobe account
  Procedure:
  1.    Download the Adobe Acrobat XI package.
  2.    Extract the contents of the Adobe Acrobat XI package.
  a.    Type msiexec.exe /a AcroStan.msi
  b.    Click Next
  c.    Put in the Network Location Share where everyone can extract the installation.
  d.    Click Install
  e.    The package will then extract to the network location as indicated above.
  f.    Click Finish, once the installation has completed.
  g.    Open the Adobe Customization XI Wizard, and customize the package by selecting the AcroStan.msi file. 
  h.    Customize the AcroStan.MSI installation file   
  i.    Default viewer of PDF files: Make Acrobat the Default PDF Viewer
  ii.    Remove previous versions of Acrobat
  iii.    Run Installation: Silently
  iv.    If reboot is required at the end of installation: Suppress reboot
  i.    Shortcuts: Remove the desktop Shortcut
  j.    Online and Adobe Services: Disable Product Improvement Program: checked.
  k.   Generate Transform File
  i.    Click Transform > Generate Transform File
  ii.   Create an Setup.Ini file in the folder of the Distribution Package.
  iii.  Name the Transform File something useful like “CompanyConfigs”.
  3.    Create a Group Policy to deploy the software package. It is usually best to have a group policy for each software installation package.
  a.    Update the Domain Default Policy with Always install with elevated privileges. This will allow all software deployment packages to install. 
  i.    Computer Configuration > Policies > Windows Settings > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges : Enabled.
  b.  Create a Group Policy to enable Windows 7 Verbose Mode
  i.    Computer Configuration > Policies > Administrative Templates > System > Verbose vs normal status messages : Enabled.
  c.    Create a Group Policy for the Software Installation
  i.     Computer Configuration > Policies > Software Settings
  ii.    Right click and select New > Package
  iii.   Click the AcroRead.msi
  iv.   Click Advanced
  v.    Click the Modifications Tab and click Add
  vi.   Optional: Click the Uninstall this application when it falls out of the scope of management.
  Note: This setting can be used to uninstall the application if the group policy ever changes in that the application should be removed.
  vii.    The package is now created …
  4.    Test the Client in a Virtual Machine
  a.    Go to a windows client and run “gpupdate /force”.
  b.    The system will then respond that it needs to restart the computer.
  c.    Type Yes, and allow the computer to reboot.
  d.    If Group Policy is not setup to allow for verbose messages in Windows 7 then the user will just see “Please wait…”, if verbose message is enabled the user will see “Installing Adobe Acrobat…”.
  Can someone please tell me what I am missing to get the group policy deployed? It has the same permissions as the Adobe Reader folder and I have done everything exactly the same, except that Adobe Standard has the license number, and owner information included in the Transform file (.mst).
  Thank you.

  Your case isn't unique. We've heard this a lot. While Acrobat has a small, very small percentage of settings available in the ADMX files,
  in case you don't know, PolicyPak software has a solution to manipulate, basically, near 100% of the settings in Acrobat Reader and Professional.
  You're welcome to check out how it works. These videos are for Acrobat X, but there is also tempaltes in the download for XI.
  Here are links to the pages with full how-to videos:
  http://www.policypak.com/products/manage-acrobat-reader-with-group-policy.html
  and
  http://www.policypak.com/products/manage-acrobat-x-pro-and-acrobat-x-standard-using-group- policy.html
  You can be up and running in 20 minutes, but note, it's NOT a template.. PolicyPak is full application management and lockdown system.

• Best Practices for Implementing BI7.0

  Dear all,
  We are currently in BI 3.5 and have planned to go for BI 7.0.I have a few questions
  1. Is the BI in Netweaver 2004s is BI7.0?
  2. What are the best practices to go for BI 7.0? I found few documents regarding the Best Practices in service.sap.com
  3. Where can I find more detailed information and documents for implementing BI7.0?
  If you have any document can you please send it to
  (yo - no email addresses in here buddy boy)
  Thanks & Regards,
  Chandran Gansan
  Message was edited by: Ron Silberstein

  Dear Chandran,
    1. Is the BI in Netweaver 2004s is BI7.0?
  >> I read some posts before that the correct term should be SAP Netweaver 2004s; Whereas the SAP BW3.5 is referred to SAP Netweaver 2004. I hope I am not mistaken.
    2. What are the best practices to go for BI 7.0? I found few documents regarding the Best Practices in service.sap.com
    3. Where can I find more detailed information and documents for implementing BI7.0?
  >> Since you have access to the SAP service marketplace, kindly check under the categories: bi, bifaq, sevices & implementation.
    Hope this helps..
    Thanks...