The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy. The Archives for this list can be found on this page.

List Posts

Unanswered Active Topics

Forums Search

Forums >GPTalk >GPTalk Mailing List

Subject: [gptalk] Prevent Drive Mapping per User Group

Prev Next

You are not authorized to post a reply.

Author

Messages

derekodiorne User is Offline

Posts:15

01/12/2012 7:39 PM
I need to be able to prevent mapping local drives in a terminal server session only for users in a specific security group. The setting in W2K3 is a computer policy. The TS and the users are in different OU's. I created the gpo with the computer policy to prevent local drive mapping and linked it to the TS OU and applied loopback processing in the same gpo. I also added a security filter for the users security group. Is this the right way to configure this or is there another way or better way? So far it is not working for my test user and the results wizard for my test account says Inaccessible in the denied GPO section. Derek Odiorne Sr. Network Analyst Lending Solutions Fiserv Office: 574-245-1487 Cell: 574.903.3122 www.fiserv.com <http://www.fiserv.com/> P Please consider the environment before printing this e-mail

dmarelia

Posts:442

01/12/2012 7:41 PM
If that is the problem, then that is typically controlled through RDP session Host settings, but it is per computer, specifically under Computer Configuration\Policies\Admin Templates\Windows Components\Remote Desktops Services\Remote Desktop Session Host\Device and Resource Redirection\Do Not Allow Drive Redirection. One idea here that I haven't tested is the following. Use a per-user GP Preferences registry item to modify the above underlying per-computer registry policy and then use user security group item-level targeting to filter the registry item. In principle this should work and would achieve the goal of applying a per-computer setting based on user group membership. If I get some time I will test this to verify. Darren Darren Mar-Elia CTO & Founder - www.sdmsoftware.com<http://www.sdmsoftware.com/> "The Group Policy Experts" Group Policy Resource Site: www.gpoguy.com<http://www.gpoguy.com/> FOLLOW US ONLINE!: Twitter: http://www.twitter.com/grouppolicyguy Facebook: http://www.facebook.com/sdmsoftware YouTube: http://www.youtube.com/sdmsoftware From: gptalk-owner@lists.gpoguy.com [mailto:gptalk-owner@lists.gpoguy.com] On Behalf Of Darragh O'Shaughnessy Sent: Thursday, January 05, 2012 9:35 AM To: gptalk@lists.gpoguy.com Subject: RE: [gptalk] Prevent Drive Mapping per User Group I think what he means is that when using an RDP connection to a TS Server, you have the option to bring through your local physical drives from your client i.e. your local C: drive, into the TS session. From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com]<mailto:[mailto:gptalk-owner@lists.gpoguy.com]> On Behalf Of Omar Droubi Sent: 05 January 2012 17:30 To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com> Subject: RE: [gptalk] Prevent Drive Mapping per User Group Maybe we should 1st ask- What result are you trying to achieve? Is it that you don't want these users to access any network resources or that you just want to make sure they don't get any other drive letters- What? You cant apply a computer policy selectively to users. Your security filtering (whether loopback or not) will filter out the computer account and will never apply. I don't think there is anything in particular that blocks a user from mapping a drive- but I have never had to do that. Now if you want to block network access-maybe you can use ADUC and allow these users to only logon to the terminal server in question. You may also need to allow logon to domain controller (just in this list) to allow authentication and GPO processing to work correctly. But I haven't tried this usage in a while. This is configured on the user account in AD Users and Computers in the Accounts tab (Log On To..) button. Other options- not GPO related-Setup share permissions with the security group and use the Deny permission and that should block them from connecting to the share-but I think the account log on to may work best. Omar From: gptalk-owner@lists.gpoguy.com<mailto:gptalk-owner@lists.gpoguy.com> [mailto:gptalk-owner@lists.gpoguy.com]<mailto:[mailto:gptalk-owner@lists.gpoguy.com]> On Behalf Of Odiorne, Derek Sent: Thursday, January 05, 2012 8:34 AM To: gptalk@lists.gpoguy.com<mailto:gptalk@lists.gpoguy.com> Subject: [gptalk] Prevent Drive Mapping per User Group I need to be able to prevent mapping local drives in a terminal server session only for users in a specific security group. The setting in W2K3 is a computer policy. The TS and the users are in different OU's. I created the gpo with the computer policy to prevent local drive mapping and linked it to the TS OU and applied loopback processing in the same gpo. I also added a security filter for the users security group. Is this the right way to configure this or is there another way or better way? So far it is not working for my test user and the results wizard for my test account says Inaccessible in the denied GPO section. Derek Odiorne Sr. Network Analyst Lending Solutions Fiserv Office: 574-245-1487 Cell: 574.903.3122 www.fiserv.com<http://www.fiserv.com/> P Please consider the environment before printing this e-mail

You are not authorized to post a reply.

Forums >GPTalk >GPTalk Mailing List > [gptalk] Prevent Drive Mapping per User Group

ActiveForums 3.7

Ads

The GPTalk Mailing List

List Posts

Members

Ads