Archived from groups: microsoft.public.win2000.group_policy (
More info?)
If you want different User Configuration settings to apply when users log on
to a Terminal Server as opposed to a workstation, use Loopback processing
and put the settings into the User Configuration part of a GPO that is
applied to the OU containing the Terminal Server computer accounts - see
http://support.microsoft.com/?kbid=260370 for information about Loopback
processing. The local Administrators group on the Terminal Server can not
be used to control what users get or don't get the GPO settings; you need to
have a Domain Group that has all of the "Terminal Servers administrators"
domain user accounts in it - the existing Domain Admins might do for this,
but you probably want to have a Domain group that specifically contains the
user accounts you want to be "administrators" on the Terminal Server. Add
this domain group to the local Administrators group rather than individual
domain user accounts. Then, deny this Domain group the Apply GPO
permission:
1. open GPMC
2. click on the GPO that has user settings you don't want administrators to
have
3. select the Delegation tab in the right pane
4. click Advanced... (bottom right of GPMC's right pane)
5. if the group containing the Terminal Server's administrator user accounts
is not present in the list, click Add and add it
6. select the Terminal Servers administrators group
7. remove the check mark from Allow column on the Apply Group Policy row
8. add a check mark to the Deny column on the Apply Group Policy row
9. click OK
If you want exactly the same settings to apply to users whether they log on
to a Terminal Server, a workstation or some other server, then do as lforbes
suggests and segregate the administrator user accounts into a different OU
that does not have the GPO with the User Configuration settings applied.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Dwayne R" <DwayneR@discussions.microsoft.com> wrote in message
news:9479D0EE-3A09-4A74-BC83-74B6F81B1AAB@microsoft.com...
> ok thats where i was confused... so when using GPO i set the policy i want
> to
> excude the Administrators group from inheriting the policy. does anyone
> know
> how to do this ?
>
> "lforbes" wrote:
>
>> >This is a server in a domain config but its not in a active directory
>> >model.
>>
>> Hi,
>>
>> You canâ?Tt have a "Domain config" without Active Directory installed
>> unless
>> You are running NT 4 and the server you refer to is just a Windows
>> 2000 Member Server in the domain (like a workstation). In the case of
>> NT 4.0 domain you would need to use poledit.
>>
>> If you are running a Windows 2000 Domain then you have an Active
>> Directory Model because AD is the essence of the Domain. In this case
>> you can use Group Policies and put the Domain Users in an OU and apply
>> the Group Policy to it. (GPâ?Ts donâ?Tt apply to groups)
>>
>> Cheers,
>>
>> Lara
>>
>> --
>> Posted using the
http://www.windowsforumz.com interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>>
http://www.windowsforumz.com/Group-Policy-Assiging-GROPUP-ftopict399313.html
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>>
http://www.windowsforumz.com/eform.php?p=1319368
>>