Discussion:
Group Policy - users have different options
(too old to reply)
Rob S
2005-06-10 13:18:46 UTC
Permalink
Hi,

Further to some very useful advice in here I'm configuring a 2003 server in a
"kiosk" mode, and to this end I have setup a TermServices OU on the domain
controller, and have put a tailored Group Policy on this OU. I have then put 3
users, who are only going to be using TS, into this OU. This seems to work fine
as when the users are in the OU they are restricted, and vice versa.

However one thing is baffling me at the moment. User1, who is as far as I can
tell configured the same as User2 and User3 (and in the same groups) has
slightly different menu options. User2 and User3 can see OE, Internet Explorer,
Remote Assistance, Accessories and Startup in Programs (and all the usual sub
options under Accessories). User1 can only see Startup.

I'd imagine there must be some personal policy applying to User1 that I've
forgotten how to access, as any Group Policy would affect them all the same.

Also how can I get rid of everything but startup, as the way User1 appears is
how I want them all to.....

many thanks in advance


-Rob
robatwork at mail dot com
Vera Noest [MVP]
2005-06-10 21:05:13 UTC
Permalink
Difficult to say without knowing the details of you GPO (did you
use folder redirection? custom start menu?)
What kind of profiles do users have?
Could it be that user2 and user3 already had an existing profile
before you created the restrictive GPO?
What happens when you delete the profile of one of these users,
thereby forcing a new fresh profile?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
Post by Rob S
Hi,
Further to some very useful advice in here I'm configuring a
2003 server in a "kiosk" mode, and to this end I have setup a
TermServices OU on the domain controller, and have put a
tailored Group Policy on this OU. I have then put 3 users, who
are only going to be using TS, into this OU. This seems to work
fine as when the users are in the OU they are restricted, and
vice versa.
However one thing is baffling me at the moment. User1, who is as
far as I can tell configured the same as User2 and User3 (and in
the same groups) has slightly different menu options. User2 and
User3 can see OE, Internet Explorer, Remote Assistance,
Accessories and Startup in Programs (and all the usual sub
options under Accessories). User1 can only see Startup.
I'd imagine there must be some personal policy applying to User1
that I've forgotten how to access, as any Group Policy would
affect them all the same.
Also how can I get rid of everything but startup, as the way
User1 appears is how I want them all to.....
many thanks in advance
-Rob
robatwork at mail dot com
Rob S
2005-06-14 14:52:23 UTC
Permalink
On Fri, 10 Jun 2005 14:05:13 -0700, "Vera Noest [MVP]"
<***@remove-this.hem.utfors.se> wrote:

-Difficult to say without knowing the details of you GPO (did you
-use folder redirection? custom start menu?)
-What kind of profiles do users have?
-Could it be that user2 and user3 already had an existing profile
-before you created the restrictive GPO?
-What happens when you delete the profile of one of these users,
-thereby forcing a new fresh profile?

Thanks Vera as always - will look into this. Just did a quick test and deleted
user.dat from User1 - the next time I logged in as User1 it looked like User2
and 3. So it was obv in the local profile for User1. The thing is - I don't
remember how I set User1 up, and it's how I want all the users to appear!

I need to experiment some more....


-Rob
robatwork at mail dot com
Vera Noest [MVP]
2005-06-14 20:05:52 UTC
Permalink
Create a template account, log on with that account, start a ts
session and configure the desktop, start menu, etc as you would
like it to be for all of your users. Then log off and copy the
template account user profile over the Default User profile on the
TS, to make sure that every user starts with a copy of this
profile.
Remember that you can also delete items from the "All Users"
portion of the start menu. That's usually where a lot of unwanted
shortcuts are located.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
Post by Rob S
On Fri, 10 Jun 2005 14:05:13 -0700, "Vera Noest [MVP]"
-Difficult to say without knowing the details of you GPO (did
you -use folder redirection? custom start menu?)
-What kind of profiles do users have?
-Could it be that user2 and user3 already had an existing
profile -before you created the restrictive GPO?
-What happens when you delete the profile of one of these users,
-thereby forcing a new fresh profile?
Thanks Vera as always - will look into this. Just did a quick
test and deleted user.dat from User1 - the next time I logged in
as User1 it looked like User2 and 3. So it was obv in the local
profile for User1. The thing is - I don't remember how I set
User1 up, and it's how I want all the users to appear!
I need to experiment some more....
-Rob
robatwork at mail dot com
Rob S
2005-06-15 10:21:26 UTC
Permalink
Vera - I had considered that method. The thing is - as User1 was originally
setup it had the restrictions I referred to earlier when User1 was in the
TermServices OU I setup which had the group policy attached. When I took User1
out the OU, it had all the shortcuts etc back. This is just what I want to
happen.

Presumably with the method below, even when User1 isn't in TermServices, it
still won't have any of the shortcuts etc I've deleted from All Users and
Default User....

regards

Rob

On Tue, 14 Jun 2005 13:05:52 -0700, "Vera Noest [MVP]"
<***@remove-this.hem.utfors.se> wrote:

- Then log off and copy the
-template account user profile over the Default User profile on the
-TS, to make sure that every user starts with a copy of this
-profile.
-Remember that you can also delete items from the "All Users"
-portion of the start menu. That's usually where a lot of unwanted
-shortcuts are located.

-Rob
robatwork at mail dot com
Vera Noest [MVP]
2005-06-15 12:49:54 UTC
Permalink
OK, I understand.

I assume that no users should have a lot of shortcuts when they
log on the the Terminal Server, but they should have the normal
shortcuts when they logon to their workstation, correct?

To accomplish this, you need to do two things:

1) make sure that users have separate profiles on their desktop
and in the Terminal Server (check the account properties)
2) use "loopback processing" of the GPO which is linked to the OU
that contains the Terminal Server.

Also make sure that user accounts are *not* in the same OU as the
TS.

Detailed instructions here:

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*
Post by Rob S
Vera - I had considered that method. The thing is - as User1 was
originally setup it had the restrictions I referred to earlier
when User1 was in the TermServices OU I setup which had the
group policy attached. When I took User1 out the OU, it had all
the shortcuts etc back. This is just what I want to happen.
Presumably with the method below, even when User1 isn't in
TermServices, it still won't have any of the shortcuts etc I've
deleted from All Users and Default User....
regards
Rob
On Tue, 14 Jun 2005 13:05:52 -0700, "Vera Noest [MVP]"
- Then log off and copy the
-template account user profile over the Default User profile on
the -TS, to make sure that every user starts with a copy of this
-profile.
-Remember that you can also delete items from the "All Users"
-portion of the start menu. That's usually where a lot of
unwanted -shortcuts are located.
-Rob
robatwork at mail dot com
Loading...