Remote Access - Sonicwall VPN to Terminal Server

**unionit** · 02-02-2006, 10:24 AM

Windows 2000 Small Business Server:
I created Remote Access Policy to remove Shutdown from Start menu (among other things). I created a Remote User Group and put a couple of test users in it. The policy is not being applied.
The group is located within the PFAA.local organization and the remote access policy is contained within the group. There is no problem connecting to the server remotely using these test users. I just can't get the policy applied. I'm new to trying to use GP. Thanks for you help.

**AdamV** · 02-02-2006, 11:19 AM

Reading between the lines, you have made a simple but common error, but I could be wrong.
You say you have added users to a group and then applied the plicy to a group.
This doesn't work.

You need to apply the policy to the users themselves - through the domain, site or (most usually) an OU.
You can use groups to then filter out the policy so it only applies to the users you want, but the policy has to be "in scope" for the users.

So: apply to an OU to push a policy, use a group to filter a policy you already pushed.

Now the more complicated option.
If you only want this to apply to users in Terminal Services sessions, you need to apply the policy where the TS servers are. "But that won't work" I hear you say - it's a user policy so it has to be applied to a user, not a computer.
True.
So you also need to use Loopback processing which gets the user parts of the policies which are in scope for the computer and applies them after the user's own policies. Hey presto, all users on the system get a particular setting. In this case you would probably use "merge" rather than "replace" settings so you don't overwrite all the other good stuff your policies are doing.

**unionit** · 02-02-2006, 11:56 AM

Sorry, I used the wrong terminology. I should know better! I did create an OU inside the PFAA domain, inside the PFAA OU. I created the policy inside the Remote Access OU. There is only one physical server (Small Bus Ser) so Terminal Server is running on it. In the properties of the Remote Access OU, I made the users members of the policy. Do I have to do this in reverse... in other words, include everyone and then create a group to exclude them?????

Current setup:

PFAA (domain)
PFAA (OU)
PFAA REMOTE ACCESS (OU)
REMOTE ACCESS POLICY
MEMBERS specified in policy

**AdamV** · 02-02-2006, 02:08 PM

If the right users are in the 'remote access' OU then all you have to do is link the policy there (it sounds like you did this already - probably by using the right click > "create and link a policy here" option)

The only thing to consider is that this policy will apply to them when they are on their workstations as well, which is why you might be better off applying this to an OU with the server in and using loopback so it only affects users who logon to the server.

You would then (if you do it with the loopback method) want to filter this policy and add the administrator account / groups and set them to "deny" against "apply policy" so the policy does not apply to administrators.

**unionit** · 02-03-2006, 07:43 PM

Thanks AdamV! I finally got it figured out using the loopback method! I could not have done it without your help! Thanks so much for your help!!!

**AdamV** · 02-04-2006, 02:34 AM

No worries, glad you got it sorted.

Thread: Remote Access - Sonicwall VPN to Terminal Server

LinkBack

Thread Tools

Search Thread

Display

Posting Permissions