Group Policy - Security Templates?
Evening all,
I hope someone would be able to give me some advice on the best way of setting this group policy up for a production system.
1. I have a group called 'Team Users' - this group is a global security group and the members of this group are in the companys HR department.
2. We have just set some brand new servers up with Windows Servers 2012 R2 installed and the application has been installed correctly on to the D:. - We like to keep it so that the C: is strictly Operating System only.
3. On the D: we have the following folder structure:
- Install
- Application
- Program Files
What I want to do is set it up so that this group 'Team Users' can log on to the server but only be able to modify anything in the Application folder. We don't want them to have any modify access to any other folders on the D:
This team have a previous history of having access to the C: and dragging and dropping files / folders on to the C: in certain locations. I don't want this to happen again. What is the best way of stopping the users from doing this without stopping the drive
from working or affecting the Application?
Are there any Microsoft guides or recommendations in regards to giving end users access to log on to servers etc?
this doesn't seem to be a GP specific question, in that you seem to want to restrict the user-level access to volumes/folders/files, either by access permissions or by quota ? (neither of which are really possible using GP)
you might use GP to perform folder redirection, i.e. to redirect the users "my documents" etc away from storing on C:, and instead store them on D:, perhaps D:\userdata ?
by default, user account would not be added into the Administrators group of the server, which will natively restrict those accounts from placing files into System folders.
you would also take steps to ensure that these users are not granted nor would they inherit permissions to create folders/files on D:\ (except for the explicit folders you mentioned above.
if you grant these users read/write/modify permissions to D:\Application, that won't stop those users from filling up D: with content in the D:\Application folder, so you might want to consider quotas.
The FSRM feature might be useful to you for that.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)
Similar Messages
-
How to Add multiple entry to the group policy security filtering
How to Add multiple entry to the group policy security filtering
Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"Hi
Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
Try right clicking on the policy and then edit
Then in Editor Right click on the name of the policy and Properties
Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
the correct option also "From this Location" is set to your entire directory not the local server.
Update us with the above.
Thanks -
Windows 10 Group Policy (.ADMX) Templates now available for download
Windows 10 Group Policy (.ADMX) Templates now available for download Just to let you all know that we have released the Windows 10 Group Policy (.ADMX) templates on our download center as an MSI installer package. These .ADMX templates are released as a separate download package so you can manage group policy for Windows 10 clients more easily. This new package includes additional (.ADMX) templates which are not included in the RTM version of Windows 10. DeliveryOptimization.admxfileservervssagent.admxgamedvr.admxgrouppolicypreferences.admxgrouppolicy-server.admxmmcsnapins2.admxterminalserver-server.admxtextinput.admxuserdatabackup.admxwindowsserver.admxTo download the Windows 10 Group Policy (.ADMX) templates, please visit http://www.microsoft.com/en-us/download/details.aspx?id=48257 To review which settings are new in Windows 10,...
This topic first appeared in the Spiceworks CommunityRubicon Project is the operator of one of the advertising industry’s largest independent real-time trading platforms for digital advertising, and has engineered one of the largest real-time cloud and Big Data computing systems, processing trillions of transactions within milliseconds each month. The company’s pioneering technology created a new model for the advertising industry—similar to what NASDAQ did for stock trading. Rubicon Project’s automated advertising platform is used by more than 500 of the world’s premium publishers to transact with over 100,000 ad brands globally. To meet their expanding communications requirements, Rubicon Project selected 8x8 to provide 8x8 Virtual Office business VoIP, unified communications and mobile solutions to its nine international locations.8x8’s cloud-based telephony solutions enabled Rubicon...
-
Group Policy Administrative Templates not applying on Windows XP SP3 - Windows Server 2008 R2
I have a Windows 2008 R2 domain with windows 7, and Windows XP SP3 client workstations.
I have a group policy to deny all access to removable storage in policies/administrative templates/system in user configuration (actually its in the computer configuration as well)
The problem is the policy is having no effect on the Windows XP machines. It works perfectly on Windows 7 machines.
Group policy in general is working on the Windows XP machines, as I can successfully map drives, push out scheduled tasks, and push out printers. (All preferences I know and I have GP Preferences client side extensions installed).
Its almost like the windows XP machines can't "understand" the admin templates from Windows Server 2008 R2.
Do I need to install something on the windows XP machines? What could be the problem?> Its almost like the windows XP machines can't "understand" the admin
> templates from Windows Server 2008 R2.
Simply read the "supported on" of these settings... Vista and above
required.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
No standard templates in Group Policy Editor on SBS 2008
Hi, we have a SBS 2008. Problem is that we don't have any standard templates in Group Policy Editor anymore, just Office templates. If I do "Add/Remove Templates" the list is empty (please see Image below).
Any ideas?
Thanks in advance for your help
Best regards, ThomasHi Thomas,
Would you please let me confirm whether change anything before this issue occurred? Did this issue just occurred
recently?
Would you please let me know if Administrative Templates files still store in the default location C:\Windows\PolicyDefinitions
folder? Or have created the Central Store for Group Policy Administrative Template files? Please navigate to
PolicyDefinitions folder and check if it is empty.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
Group policy template for Novell Client for Windows 7
Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
Rick PTwo recent/new resources are available for the Novell Client 2 SP3 for Windows:
Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities -
How to control IE10's "Compatibility View settings" via Group Policy
First
of all thanks for taking the time to read this. I must let you know that I have limited experience with Group Policy so here it goes...
Domain Controllers are 2008 R2 Datacenter and client computers are Win7 Pro with IE10
I need to add several sites to the "Compatibility View settings" in IE10 and have these pushed out via Group Policy.
I followed this to enable the "Use Policy List of Internet Explorer 7 sites:"
Use
Policy List of Internet Explorer 7 sites
I even added the settings to both User Configuration as well as Computer Configuration. However the computers on the domain wouldn't show these sites in
IE even after forcing a GP update (gpupdate /force)
Yes I did use top level domain names.
Next I installed the Administrative Templates for Windows Internet Explorer 10 on the DC:
Administrative Templates for Windows Internet Explorer 10
this gave me an Inetres.adm file while I put in the same location as my other .adm files that Group Policy Manager sees (located at C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm)
I do see a bunch of .ADMX files located at C:\Windows\PolicyDefinitions
on the DC. I also see a lot of .ADML files located at C:\Windows\PolicyDefinitions\en-US.
Where is my Central Store located that my Group Policy references? How do I know what location GP is reading from?
Now I installed the Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7 from here:
Administrative Templates (ADMX) for Windows Server 2008 R2 and
Windows 7
This gave me a "Win7-2008R2-admx.msi" package that I installed. I took the defaults and extracted contents to:
C:\Windows\PolicyDefinitions\Server 2008 Win7\PolicyDefinitions
Are all of these .ADMX files supposed to be placed into my Central Store?
If I mouse-over "Administrative Templates" in Group Policy Manager is says that the policy definitions are retrieved from the local machine.
I then right-clicked on top of "Administrative
Templates" in Group Policy Manager and highlighted Inetres and selected Delete.
While in Add/Remove Templates I click on Add and it defaults to looking for "Policy Templates" and will not let me select and .ADM/.ADML/.ADMX files.
What am I doing wrong here?
How do I know that I'm using the most recent Inetres file?
How do I know which file Group Policy Manager is using to manage the IE settings that are in:
User Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of Internet
Explorer 7 sites
or
Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of
Internet Explorer 7 sites.
Is there anything else you can suggest?
Many, many thanks in advance for any responseHi,
Regarding your question, usually we create a Central Store for Administrative Templates (Both .admx and .adml files), and create a folder that is named PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies. The .adml files on the Windows computer
are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named "en-US." When you have copied all .admx and .adml files, the PolicyDefinitions folder on the domain controller should contain the
.admx files and one or more folders that contain language-specific .adml files.
Please refer to the following articles. You will get more helpful details about the Central Store for Group Policy Administrative Template files.
How to create the Central Store for Group Policy Administrative Template files in Windows Vista
http://support.microsoft.com/kb/929841
Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
Based on your description, I understand you enable the setting “Use Policy List of Internet Explorer 7 sites”. However, didn’t show any sites in IE in client even after forcing a GP update
(gpupdate /force). Please use command “gpresult” in clients to collect the GPOs, and then check whether the GPO contain the setting “Use Policy List of Internet Explorer 7 sites” was applied to clients or wasn’t.
In addition, you also can change the related setting by using registry directly.
Follow the path of the registry:
HKEY_CURRENT_USER->Software->Policies->Microsoft->Internet Explorer->BrowserEmulation->PolicyList. (Create registry folders
manually if not present)
Right Click
PolicyList ->New->String Value->Enter the name of the website. (Both under ‘Name’ and ‘Data’. For example,
Value name: example.com Value data: example.com)
There is a similar question, please read as a reference.
Add manually URL on Compatibility View List in IE10
http://social.msdn.microsoft.com/Forums/ie/en-US/5a15e861-d106-471e-a968-fdea15e31c45/add-manually-url-on-compatibility-view-list-in-ie10
Hope this helps.
Best regards,
Justin Gu -
Set Word 2013 Track Changes settings via Registry edits or Group Policy?
Hi
Would anyone know if there is a way of changing Track Changes settings via registry edits or Group Policy (e.g. changing Simple Markup All Markup)? I've had a look in Group Policy Admin Templates and the Registry but cant see relevant
Thanks!Hi,
The All Markup/Simple Markup selection is controlled by the RevModeShowSimpleMarkup value within the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options
The value is 0 (zero) for All Markup or 1 (one) for Simple Markup.
If we close all Word instances, and change the value to 1, then start Word, the All Markup option should be selected.
In addition, some track change settings can also be controlled by the GPO settings in the following location:
Administrative Templates > Microsoft Word 2013 > Word Options > Track changes and compare
If you still need further assistance on this issue, please feel free to let me know.
Regards,
Steve Fan
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
Change "rely on system fonts only" via Group Policy
Hello,
This may take a bit to explain my problem, sorry in advance. I have a mixed network environment of Windows 7 Professional (x64) and Windows XP Pro SP3 (x32), and all of them have Adobe Acrobat 9 Standard, with the Adobe PDF Printer.
My problem is that ALL of these systems have a serious, game-killing problem with the Adobe PDF printer setting, "Rely on system fonts only; do not use document fonts". If that option is enabled (or if the option with the same name under Printer Defaults is enabled), then printing in our ERP software dies. (We use Microsoft Dynamics GP). Users get an error "Unable to stop printing", and believe me it took a WHILE before I figured out that the Adobe PDF setting was to blame! This happens even if my users are printing to physical paper, and not touching the PDF printer at all. In other software we sometimes get the annoying popup message from Adobe PDF saying that we need to uncheck the "Rely on system fonts..." setting as well. In short, I HAVE to keep that option turned off for all of my users.
Unfortunately, every time there's a major Adobe update the option returns (GRRRR!), in both the Printer Preferences menu and the Printer Defaults menu. I'm trying to change the option via a group policy administrative template, but I don't know which registry settings to modify - it seems like this option exists in SEVERAL places, here are the ones I've found so far:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\PrinterDriverData\DistillerHostFontHasMostFonts
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Print\Printers\Adobe PDF\PrinterDriverData\DistillerHostFontHasMostFonts
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\Adobe PDF\PrinterDriverData\DistillerHostFontHasMostFonts
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\Adobe PDF\PrinterDriverData\DistillerHostFontHasMostFonts
I've also found references in this forum that tell me to also change a long binary string in:
- HKEY_CURRENT_USER\Printers\DevModePerUser\Adobe PDF\Adobe PDF (And this one I honestly have no idea how to edit a huge string like that.)
For the first four registry values, when I change DistillerHostFontHasMostFonts to 0 via a template... the checkbox isn't visually cleared in the GUI. *face palm* I'm a bit desperate - how is an admin supposed to change this option across a company network besides manually?And, as a demonstration that this is a REAL and DOCUMENTED Microsoft bug, here's the text of the Dynamics GP KB article:
It would be nice if somebody from Adobe had an answer other than "yeah you shouldn't disable that feature, for vague reasons of our own that we won't tell you." Microsoft clearly believes it MUST be disabled! I don't have an option there, or my company's ERP software doesn't work.
SYMPTOMS
When you try to send a report as a .pdf file to an e-mail recipient from Microsoft Dynamics GP and from Microsoft Business Solutions - Great Plains, you receive the following error message:When you create a PostScript file you have to send the host fonts. Please go to the printer properties, "Adobe PDF Settings" page and turn OFF the option "Do not send fonts to Distiller" appears.You continue to receive this error message after you follow these steps to turn off the Do not send fonts to Distiller option:
1.
Click Start, and then click Printers and Faxes.
2.
Right-click Adobe PDF, and then click Properties.
3.
On the General tab, click Printing Preferences.
4.
Click to select the Do not send fonts to "Adobe PDF" check box, and then click OK.
5.
On the Advanced tab, click Printing Defaults.
6.
Click to select the Do not send fonts to "Adobe PDF" check box.
7.
Start Microsoft Great Plains.
Back to the top
RESOLUTION
Microsoft Dynamics GPTo resolve this problem, complete steps 1-6 in the "Workaround" section.
Back to the top
Microsoft Business Solutions - Great Plains 8.0To resolve this problem, complete steps 1-6 of the "Workaround" section, and then obtain the latest service pack for Microsoft Business Solutions - Great Plains 8.0. For more information, visit one of the following Microsoft Web sites, depending on whether you are a partner or a customer. Partners https://mbs.microsoft.com/partnersource/products/GreatPlains/downloads/servicepackCustomershttps://mbs.microsoft.com/customersource/support/downloads/servicepacks
Back to the top
WORKAROUND
To work around this problem, follow these steps.Adobe 6.0 and Adobe 7.0
1.
Click Start, and then click Printers and Faxes.
2.
Right-click Adobe PDF, and then click Properties.
3.
On the General tab, click Printing Preferences.
4.
Click to clear the Do not send fonts to "Adobe PDF" check box.
5.
On the Advanced tab, click Printing Defaults.
6.
Click to clear the Do not send fonts to "Adobe PDF" check box.
7.
Start Microsoft Great Plains.
8.
In Microsoft Great Plains, click Print Setup on the File menu.
9.
In the Name list, click Adobe PDF, and then click Properties.
10.
On the Adobe Default Settings tab, click to select the Do not send fonts to "Adobe PDF" check box. Then, click to clear the Do not send fonts to "Adobe PDF" check box.
11.
Click OK two times.
Adobe 8.0
1.
Click Start, and then click Printers and Faxes.
2.
Right-click Adobe PDF, and then click Properties.
3.
On the General tab, click Printing Preferences.
4.
Click to clear the Rely on System fonts only; do not use document fonts check box.
5.
On the Advanced tab, click Printing Defaults.
6.
Click to clear the Rely on System fonts only; do not use document fonts check box.
7.
Click OK two times.
Back to the top
STATUS
Microsoft Dynamics GP 10.0Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
Microsoft Dynamics GP 9.0Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
Microsoft Business Solutions - Great Plains 8.0Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Business Solution - Great Plains 8.0 Service Pack 4a.
Back to the top
MORE INFORMATION
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Back to the top
APPLIES TO
Microsoft Dynamics GP 2010
System Manager, when used with:
Microsoft Dynamics GP 10.0
Microsoft Dynamics GP 9.0
Microsoft Business Solutions–Great Plains 8.0 -
User Configuration/Policies/Administrative Templates
- Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work
Microsoft Word 2013/Word Options/Security/Trust Center/Trusted Locations
- Allow Trusted Locations on the network:
Enabled
- Trusted Location #1:
Enabled
Path: //server/sharedfoldername [Edit: Path:
\\server\sharedfoldername]
Date: June 10, 2013
Description: Trusted Location
Allow sub folders: Enabled
The policy appears to apply to the client correctly by adding the following registry key and values:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\word\security\trusted locations\location1
allowsubfolders: 1
date: June 10, 2013
Description: Trusted Location
Path: //server/sharedfoldername [Edit: Path:
\\server\sharedfoldername]
However, when you open Word Options/Trust Centre/Trust Centre Settings…/Trusted Locations
There are no trusted locations listed under ‘Policy Locations’
I have tried setting similar settings for setting the Shared Templates folder location and just like the trusted locations policy, the registry keys are created properly in HKEY_CURRENT_USER\Software\Policies however word doesn’t
seem to recognize these either.
This used to work flawlessly using the administrative templates for Word 2007 and 2010. Has anyone been able to get these policies to apply successfully, or know why office doesn’t recognize these settings from the Policies registry
Key?This would have been an easy solution to the issue. Unfortunately it isn't the problem. This question was originally posted on another Microsoft site and
was transferred here and when it was transferred the path's changed from the original post:
\\server\sharedfodlername to //server/sharedfoldername. (I will edit the question to show up as it did in the original post) Not sure how that happened. This
is still an issue that I haven't been able to get working correctly.
As it turns out the 'New from Template' interface Word 2013 has developed is very bulky with large thumbnails and is not very customizable nor practical for an office
that has a large number of templates. Because I am unsatisfied with the display and performance of the 'New' template chooser I sought after a solution to change the way word creates a document from a template in another thread:
http://answers.microsoft.com/en-us/office/forum/office_2013_release-word/how-can-you-change-the-display-of-templates-in/d49194b9-a6b4-4768-8502-7d7b50e9dd65 working through this issue with Jay we were able to develop
some VB script with handles a very large number of templates in a list view and it works much faster than the built-in Word interface. The above thread is how I've worked around trying to define a shared template location and I am quite happy with it. -
Group Policy won't apply, No mapping between account names and security IDs was done.
I am using Group Policy Preferences to remove users from the local admin group and add a local admin account. This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO. I get the following error:
Log Name: Application
Source: Group Policy Local Users and Groups
Date: 6/24/2014 8:49:28 AM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: laptop1.internal.com
Description:
The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
IDs was done.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Local Users and Groups" />
<EventID Qualifiers="34305">4098</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
<EventRecordID>68771</EventRecordID>
<Channel>Application</Channel>
<Computer>laptop1.internal.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>user</Data>
<Data>Administrators</Data>
<Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
<Data>0x80070534 No mapping between account names and security IDs was done.</Data>
</EventData>
</Event>
I've searched high and low for an answer and nothing I find on-line seems to apply. I also notice that the option to 'Run as Administrator' does not work. If I right-click on cmd.exe and select 'run as administrator', the command box opens but
I am not prompted for credentials and the command box does not have admin rights. Not sure if this is related or not.
Any help on this would be greatly appreciated.
Thanks,
JoeHi,
Delete your remove action from the GPP and push it again, does this issue still occur?
If it still exists, let’s collect the GPP log for analysis:
Group policy Preference debug logging policy settings are located under:
Computer Configuration\Administrative Templates\System\Group Policy
Click Logging and tracing, select local users and group preference logging and trace.
Meanwhile, just a similar issue, but it is worth trying:
A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/2280515
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support -
Disable IE 10 & 11 Security Alert popup w/ Group Policy
We get a Security Alert popup when accessing a https site
"You are abut to view pages over a secure connection....."
With previous version of IE, user can simply check box for "In the future, do not show this warning" and it will not pop up again, however, w/ the new IE 10 and IE 11, it keeps coming back. What is the group policy rule to disable this pop
up?
Thanks in advance.
Roget LuoHi Roget,
It seems that we can enable the following setting to block the warning message:
Computer Configuration/User Configuration > Adminstrative Templates > Windows Components > Internet Explorer >Turn off the Security
Settings Check feature
Besides, apart from group policy, if we just want to individually block the message, the following article can be referred to for more information.
Stop security warning in Internet Explorer
https://innsida.ntnu.no/wiki/-/wiki/English/Stop+security+warning+in+Internet+Explorer
Please Note:Since
the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best regards,
Frank Shen -
New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?
We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new security Group--named "Data Collection Users". These users are "Domain Users" and login to the
2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS. We do not have any other users that login to the RDS through terminal,
including any Domain Admins.
So far we have done these steps:
On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
Linked the Policy to the OU.
Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
We ran the Group Policy force update from within GP Management - ran successfully.
We did not reboot the RDS.
Neither of the settings we tried in Step 7 worked. Why Not?
Here are images from the Security Filtering:Ok--Do I reboot the RDS or the DC? or both?
Does it look like my Security Filtering is correct? I have seen posts where you should not remove the "Authenticated users"? -
Server 2012 Group Policy Templates installed on Server 2008 R2
Setup: 2 x Domain Controllers running Server 2K8 R2 SP1
We are currently running our environment with IE9 and want to upgrade to IE11. However 2K8 R2 group policy doesnt support IE11 unless you upgrade your DC's to this version of IE. We are not going to deploy IE11 all at once but instead as we reimage or replace
PC's.
My question is can install http://www.microsoft.com/en-us/download/details.aspx?id=36991 Server 2012 templates on 2008 R2 and have the ability to apply GP objects to both versions of the browser? Will it's possibly make some of the current GP's ineffective
by erasing some settings?
Maybe there is a better was for me to do this? Any help on this would be appreciated! Thanks in advance.
I will monitor this thread very closely and reply to any questions as soon as I can. Thanks!
BCUYes this can be done and its advisable to install the latest and greatest admx templates, please be aware that from IE10 upwards IE maintenance is deprecated and applied via a GPP, id advise you create a central store for your Admx and adml files if not
already done so
http://support.microsoft.com/kb/929841
http://support.microsoft.com/kb/929841 -
Group Policy for IE security option
Hello
I have a problem with group policy.
I wanted to add intranet site to IE properties in security tab and I did research and found one link which saying
go to group policy management -> user configuration -> windows settings -> internet explorer maintenance ->
security -> right click on security zones and and click on properties and make changes.
(I was able to find this option running GPMC in DC. If I add GPMC in MMC in my computer, i was not able to see this option)
so I clicked on"import the current security zones and privacy settings in security zones and privacy and added the site.
on my PC, I did gpupdate /force and it seemed working since the site was added and in my computer IE settings, it said "some settings are managed by your system administrator" and I updated the GP on other PC which did not work and
I realized that the link was for windows 2003 server and I have windows 2008. so I reverted what I did and on my PC, I updated the GP but the settings in IE was not changed back to what it was.
my questions are
- how to change the settings on my computer?
- why the GP was working on my computer but now the other computers?
- how to add intranet site thru GP for all the users?
ThanksHi,
I agree with Zanderol24, which IE version is installed on the other PCs? The settings of Internet explorer maintenance can’t apply to IE 10 and later version.
Besides, on the troubled clients, we could use the
gpresult /h GPReport.html command to generate a Resultant Set of Policy (RSoP) report. We could check if the policy applied from the report.
Moreover, aside from using IEM to add the sites, we can also use policy setting
Site to Zone Assignment List or GPP Registry extension to do this.
For more information, we could refer to the following articles.
How to configure Internet Explorer security zone sites using group polices
http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx
How to Add Trust Sites into IE before IE10 through Group Policy
http://blogs.msdn.com/b/asiatech/archive/2013/01/04/how-to-add-trust-sites-into-ie-before-ie10-through-group-policy.aspx
Best Regards,
Erin
Maybe you are looking for
-
When KM Scheduler is stopped or not running
Hi Experts, I have created KM Scheduler using the blog https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/1515.Scheduled for every 30 mins. In Systemadmin>Monitor> KM-->i can see whether Scheduler is running or not. Now the requirement is to send
-
Autofill Forms in Adobe Acrobat 8
I'm trying to create a field which automatically autofills another field. I have tried copying and pasting text boxes with the same name and changing the field to the same name but I have not had any luck. I also went to edit-duplicate forms which
-
I recently bought a macbook and recieved the free mountain lion. To redeem the email said to go to quick links in the app store and click redeem. When I clicked redeem i Was taken to a blank grey screen. What is going on?
-
How do I override expired black ink cartridge error on d145
My All in One d145 printer started to show a black ink supply expired error. I replaced the old black ink cartridge with a new one but it too is expired. It was new and still in plastic so the ink should still be good. When I get the error the mes
-
Hi All, Share you views on these FAQ's with link to doc which you reffered preferably. 1) What are Mount points and there significance? 2) Why i am unable to login to DTR at other Workstations apart from the one which i am using, even after setting w