 |
 |
Firm, Actually, you don't have to assign permissions to Remote Desktop Users because it's a built in group in Windows. When you use GPO restricted groups and match the names to the built in local groups it overwrites the membership of the local group with the membership specified in the GPO. Since the built in Remote Desktop Users group already has permission to use RDP, no further configuration is required. Your point about caution is apt, though. Be very, VERY careful and test, test, test again before you push restricted groups out. Ed, That said, I use this feature all the time, with great results. And, as I stated previously, this prevents users from changing local group memberships because GP overwrites it each time it updates. Useful when you need to give a user desktop admin rights to a subset of your computers, but don't want them granting said access to others. Ryan M. Finn Systems Administrator Michigan State University -----Original Message----- From: Charlot, Firmin [mailto:[log in to unmask]] Sent: Tuesday, September 20, 2011 1:03 PM To: [log in to unmask] Subject: Re: [MSUNAG] Active Directory GPO Sounds like a good way to go as there are many. It also seems to me that you are missing a step which is assigning permissions to the newly created Restricted Group. You named it Remote Desktop Users but you still have to assign remote access permissions to Access the target servers. I don't use restricted groups very often but also note that you may have to manage the restricted group differently from other regular groups. Firm. -----Original Message----- From: Ryan M. Finn [mailto:[log in to unmask]] Sent: Tuesday, September 20, 2011 10:15 AM To: [log in to unmask] Subject: Re: [MSUNAG] Active Directory GPO You could use two policies and set them as follows: Policy #1 Applies to: Sales Computers Policy Settings: Windows Settings > Security Settings > Restricted Groups Set up a restricted group call Remote Desktop Users and add DOMAIN\Sales Admins into it Policy #2 Same as #1, but apply to Manu Computers and add DOMAIN\Manu Admins to group This will make it so anyone added to the proper AD security group can remote control the computers in the GPO. It also prevents anyone from logging on to the server locally and changing who can remote in, without your knowledge. I'm doing this from memory, so bear with me. If I've taken a swing-and-a-miss at your question, please ridicule me. :-) Ryan M. Finn Systems Administrator Michigan State University -----Original Message----- From: Ed Symanzik [mailto:[log in to unmask]] Sent: Tuesday, September 20, 2011 9:48 AM To: [log in to unmask] Subject: [MSUNAG] Active Directory GPO Newbie Active Directory question for y'all. Let's say I have a two groups of computers: Sales and Manufacturing; and two groups of users: Sales Admins and Manufacturing Admins. I would like to create a policy that dictates that only administrators may access servers remotely. How can I apply this policy to both groups of computers but have administrators mean Sales Admins in one case and Manufacturing Admins in the other? Sorry, but I don't even know what to search for to get the answer myself. Thanks, -- Ed Symanzik, ATS