Not apply a policy against the administrator

Against our Citrix/Terminal Server OU is a GPO that sets the path for
terminal services profile under the computer settings section.

The problem is our administrator account picks up this setting and uses a TS
profile. I dont want the admin to use this profile.

Is it possible to write a WMI filter to not apply the GPO if it is the
administrator who is loggging on?

Or if anybody has any better suggestions?????

Meinolf
Thu Mar 27 05:27:10 PDT 2008

Hello Si,

Our Admin accounts are in an own OU where no policies are linked to except
ofcourse the Domain policy and they also have no profile configuration. For
normal work we also have normal user accounts.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Against our Citrix/Terminal Server OU is a GPO that sets the path for
> terminal services profile under the computer settings section.
>
> The problem is our administrator account picks up this setting and
> uses a TS profile. I dont want the admin to use this profile.
>
> Is it possible to write a WMI filter to not apply the GPO if it is the
> administrator who is loggging on?
>
> Or if anybody has any better suggestions?????
>

ZiadKChafi
Thu Mar 27 05:39:01 PDT 2008

You do not need to use WMI filters, you can just use security filtering, try
doing the following plz:
1- You should be using Group Policy Managemnt, if you don't have it just
google for gpmc.msi, dounload it and install it
2- Open GPMC and select the Group Policy Link that you desire
3- On the right pane select the Deligation Tab
4- Press the Advanced Button
5- Click add to add a the Administrator account or any account that you like
6- make sure that the user that you selected is highlited
7- Scroll down to "Apply Group Policy" and check the Deny checkbox.
This should solve it.

Let me know...
--
Ziad K. Chafi
CompTIA A+, CompTIA N+, MCP, MCDST, MCAS: S, MCSE: S, MCDBA, MCTS, MCT


"Si" wrote:

> Against our Citrix/Terminal Server OU is a GPO that sets the path for
> terminal services profile under the computer settings section.
>
> The problem is our administrator account picks up this setting and uses a TS
> profile. I dont want the admin to use this profile.
>
> Is it possible to write a WMI filter to not apply the GPO if it is the
> administrator who is loggging on?
>
> Or if anybody has any better suggestions?????

Si
Thu Mar 27 05:55:00 PDT 2008

This will only deny the user configuration settings not the computer settings

"Ziad K. Chafi" wrote:

> You do not need to use WMI filters, you can just use security filtering, try
> doing the following plz:
> 1- You should be using Group Policy Managemnt, if you don't have it just
> google for gpmc.msi, dounload it and install it
> 2- Open GPMC and select the Group Policy Link that you desire
> 3- On the right pane select the Deligation Tab
> 4- Press the Advanced Button
> 5- Click add to add a the Administrator account or any account that you like
> 6- make sure that the user that you selected is highlited
> 7- Scroll down to "Apply Group Policy" and check the Deny checkbox.
> This should solve it.
>
> Let me know...
> --
> Ziad K. Chafi
> CompTIA A+, CompTIA N+, MCP, MCDST, MCAS: S, MCSE: S, MCDBA, MCTS, MCT
>
>
> "Si" wrote:
>
> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
> > terminal services profile under the computer settings section.
> >
> > The problem is our administrator account picks up this setting and uses a TS
> > profile. I dont want the admin to use this profile.
> >
> > Is it possible to write a WMI filter to not apply the GPO if it is the
> > administrator who is loggging on?
> >
> > Or if anybody has any better suggestions?????

Paul
Thu Mar 27 06:00:18 PDT 2008

Deny policy against the admin

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Si" <Si@discussions.microsoft.com> wrote in message
news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
> Against our Citrix/Terminal Server OU is a GPO that sets the path for
> terminal services profile under the computer settings section.
>
> The problem is our administrator account picks up this setting and uses a
> TS
> profile. I dont want the admin to use this profile.
>
> Is it possible to write a WMI filter to not apply the GPO if it is the
> administrator who is loggging on?
>
> Or if anybody has any better suggestions?????

Lanwench
Thu Mar 27 06:11:40 PDT 2008

Si <Si@discussions.microsoft.com> wrote:
> This will only deny the user configuration settings not the computer
> settings

No, I don't think so; I do this myself and don't have any restrictions when
I log into my TS boxes. However, even if that were true, the TS profile path
is a user thing. :-)


>
> "Ziad K. Chafi" wrote:
>
>> You do not need to use WMI filters, you can just use security
>> filtering, try doing the following plz:
>> 1- You should be using Group Policy Managemnt, if you don't have it
>> just google for gpmc.msi, dounload it and install it
>> 2- Open GPMC and select the Group Policy Link that you desire
>> 3- On the right pane select the Deligation Tab
>> 4- Press the Advanced Button
>> 5- Click add to add a the Administrator account or any account that
>> you like 6- make sure that the user that you selected is highlited
>> 7- Scroll down to "Apply Group Policy" and check the Deny checkbox.
>> This should solve it.
>>
>> Let me know...
>> --
>> Ziad K. Chafi
>> CompTIA A+, CompTIA N+, MCP, MCDST, MCAS: S, MCSE: S, MCDBA, MCTS,
>> MCT
>>
>>
>> "Si" wrote:
>>
>>> Against our Citrix/Terminal Server OU is a GPO that sets the path
>>> for terminal services profile under the computer settings section.
>>>
>>> The problem is our administrator account picks up this setting and
>>> uses a TS profile. I dont want the admin to use this profile.
>>>
>>> Is it possible to write a WMI filter to not apply the GPO if it is
>>> the administrator who is loggging on?
>>>
>>> Or if anybody has any better suggestions?????

Si
Thu Mar 27 06:22:01 PDT 2008

Guys,

It is a computer configuration setting not a user and if i deny the
administrator it will only deny the user configuration settings not the
computer configuration settings

"Paul Bergson [MVP-DS]" wrote:

> Deny policy against the admin
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Si" <Si@discussions.microsoft.com> wrote in message
> news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
> > terminal services profile under the computer settings section.
> >
> > The problem is our administrator account picks up this setting and uses a
> > TS
> > profile. I dont want the admin to use this profile.
> >
> > Is it possible to write a WMI filter to not apply the GPO if it is the
> > administrator who is loggging on?
> >
> > Or if anybody has any better suggestions?????
>
>
>

Paul
Thu Mar 27 06:39:22 PDT 2008

You said against your admin not against the machine your admin logs into.
Unless you are using loopback processing profile setting should be a user
setting.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Si" <Si@discussions.microsoft.com> wrote in message
news:442E11C9-FF16-403A-A6A6-1C00BD626436@microsoft.com...
> Guys,
>
> It is a computer configuration setting not a user and if i deny the
> administrator it will only deny the user configuration settings not the
> computer configuration settings
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Deny policy against the admin
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Si" <Si@discussions.microsoft.com> wrote in message
>> news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
>> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
>> > terminal services profile under the computer settings section.
>> >
>> > The problem is our administrator account picks up this setting and uses
>> > a
>> > TS
>> > profile. I dont want the admin to use this profile.
>> >
>> > Is it possible to write a WMI filter to not apply the GPO if it is the
>> > administrator who is loggging on?
>> >
>> > Or if anybody has any better suggestions?????
>>
>>
>>

Si
Thu Mar 27 07:01:00 PDT 2008

Policy Setting
Set path for TS Roaming Profiles - Enabled

The above comes under computer configuration not user configuration.......

Loopback is enable but that doesnt matter because again this is a computer
setting not a user.




"Paul Bergson [MVP-DS]" wrote:

> You said against your admin not against the machine your admin logs into.
> Unless you are using loopback processing profile setting should be a user
> setting.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Si" <Si@discussions.microsoft.com> wrote in message
> news:442E11C9-FF16-403A-A6A6-1C00BD626436@microsoft.com...
> > Guys,
> >
> > It is a computer configuration setting not a user and if i deny the
> > administrator it will only deny the user configuration settings not the
> > computer configuration settings
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Deny policy against the admin
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Si" <Si@discussions.microsoft.com> wrote in message
> >> news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
> >> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
> >> > terminal services profile under the computer settings section.
> >> >
> >> > The problem is our administrator account picks up this setting and uses
> >> > a
> >> > TS
> >> > profile. I dont want the admin to use this profile.
> >> >
> >> > Is it possible to write a WMI filter to not apply the GPO if it is the
> >> > administrator who is loggging on?
> >> >
> >> > Or if anybody has any better suggestions?????
> >>
> >>
> >>
>
>
>

Florian
Thu Mar 27 07:18:12 PDT 2008

Howdie!

Si schrieb:
> Against our Citrix/Terminal Server OU is a GPO that sets the path for
> terminal services profile under the computer settings section.
>
> The problem is our administrator account picks up this setting and uses a TS
> profile. I dont want the admin to use this profile.
>
> Is it possible to write a WMI filter to not apply the GPO if it is the
> administrator who is loggging on?
>
> Or if anybody has any better suggestions?????

See:
http://www.frickelsoft.net/blog/?p=63

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Use a newsreader! http://www.frickelsoft.net/news.html

Si
Thu Mar 27 07:31:01 PDT 2008

Good document but it still doesnt cover computer configuration settings only
user - still where i started.

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> Si schrieb:
> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
> > terminal services profile under the computer settings section.
> >
> > The problem is our administrator account picks up this setting and uses a TS
> > profile. I dont want the admin to use this profile.
> >
> > Is it possible to write a WMI filter to not apply the GPO if it is the
> > administrator who is loggging on?
> >
> > Or if anybody has any better suggestions?????
>
> See:
> http://www.frickelsoft.net/blog/?p=63
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Windows Server - Group Policy.
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Use a newsreader! http://www.frickelsoft.net/news.html
>

Anthony
Thu Mar 27 08:01:23 PDT 2008

There's no way to deny parts of a computer GPO from applying to specified
users.
Anthony
http://www.airdesk.co.uk


"Si" <Si@discussions.microsoft.com> wrote in message
news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
> Against our Citrix/Terminal Server OU is a GPO that sets the path for
> terminal services profile under the computer settings section.
>
> The problem is our administrator account picks up this setting and uses a
> TS
> profile. I dont want the admin to use this profile.
>
> Is it possible to write a WMI filter to not apply the GPO if it is the
> administrator who is loggging on?
>
> Or if anybody has any better suggestions?????

Si
Thu Mar 27 08:14:01 PDT 2008

Thanks, finally in plain and simple terms

So how does everybody else who applies the TS profile setting get around the
Administrator not having it scenario???

"Anthony [MVP]" wrote:

> There's no way to deny parts of a computer GPO from applying to specified
> users.
> Anthony
> http://www.airdesk.co.uk
>
>
> "Si" <Si@discussions.microsoft.com> wrote in message
> news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
> > terminal services profile under the computer settings section.
> >
> > The problem is our administrator account picks up this setting and uses a
> > TS
> > profile. I dont want the admin to use this profile.
> >
> > Is it possible to write a WMI filter to not apply the GPO if it is the
> > administrator who is loggging on?
> >
> > Or if anybody has any better suggestions?????
>
>
>

Anthony
Thu Mar 27 09:11:59 PDT 2008

I don't think they do. What problem are you trying to avoid?
This is quite a useful setting if you want one set of TS servers to have a
distinctive user profile, different from other TS servers. Or if you just
want everyone to have a TS Profile even if not set in their AD account.
As the setting only applies to the TS, and not to other RDP sessions (unlike
a TS Profile in the account) I can't see what problem it would cause,
Hope that helps,
Anthony,
http://www.airdesk.co.uk




"Si" <Si@discussions.microsoft.com> wrote in message
news:48BB7443-ED26-4E1E-A2E1-48DF73915A5C@microsoft.com...
> Thanks, finally in plain and simple terms
>
> So how does everybody else who applies the TS profile setting get around
> the
> Administrator not having it scenario???
>
> "Anthony [MVP]" wrote:
>
>> There's no way to deny parts of a computer GPO from applying to specified
>> users.
>> Anthony
>> http://www.airdesk.co.uk
>>
>>
>> "Si" <Si@discussions.microsoft.com> wrote in message
>> news:F14977BA-C6FD-40AC-8CE9-677B1EB8E658@microsoft.com...
>> > Against our Citrix/Terminal Server OU is a GPO that sets the path for
>> > terminal services profile under the computer settings section.
>> >
>> > The problem is our administrator account picks up this setting and uses
>> > a
>> > TS
>> > profile. I dont want the admin to use this profile.
>> >
>> > Is it possible to write a WMI filter to not apply the GPO if it is the
>> > administrator who is loggging on?
>> >
>> > Or if anybody has any better suggestions?????
>>
>>
>>