Surprise client question on Terminal server

[Curt]

One of my Arizona Project Managers emailed me and asked if I had a half an hour to talk to a new Dynamics Great Plains customer.

The client was in the public sector, where you and I would REALLY WANT the funds to go toward what they do. Fight Fires. Big ones.

I don't know about you but I am really glad people like this exist.

If you lived in San Diego in the past few years you know why.

Anyway, he calls me and I thought it would just be the normal "Best practices" for installing the Dynamics GP client in Terminal server.

But this fellow was good. He created a GPO on an OU and put the Terminal server in the OU. He emailed me all the settings he used but I did not "SEE" the server, yet.

Problem is: The administrator account has all the lock downs from the GPO when the Admin account logs in.

I have been blitzed with client issues and I feel sorry for the guy, but I think the last time I did this I put the machine in the OU as well , so the reason why it applies to the admin account is because the Machine account is covered by the policy. Am I right? or am I wrong?

I don't mind being wrong, as long as I am enlightened.

Once I thought I was wrong!!!! But I was Mistaken. :cry:

[AdamV]

Sounds like he has a loopback in place to apply user settings from that GP to the users logging in to the machine which is in the OU. All this does is process policies as normal, user being last and then after that it goes back and applies user settings as if the user was also in the OU where the machine is.

A filter on the user policy which is linked to the OU to "deny" Apply this policy for the admin account / admins group(s) would do the trick.

Don't get too tied up with the machine / loopback aspect, ultimately these are user settings in a policy which you need to ensure do not apply to a specific set of users.

It may be more complex than this, but it sounds like this is the basis of the issue.