1

I have been trying to setup a GPO policy for a single user ( administrator ) in Windows Server 2008.

I have aprox. 50 users using Terminal Service in this server and need to make a different configuration of timeout for administrator user.

So, I:

1) Created two GPOs: TS-NoTimeout and TS-Timeout.

2) Assigned them.

3) Changed priority to place TS-NoTimeout in first place.

4) Removed Authenticated Users from TS-NoTimeout and added only administrator user.

Result: did not worked. When i run gpresult for user Administrator it says denied because of security.

After some research, i found people saying that i should add the local machine too. I did this and...

Result: Works for admin but now all users have TS-NoTimeout as their policy too.

What exactly am i doing wrong here?

Any additional information that i should provide?

Fernando
  • 1,129
  • 6
  • 23
  • 32

1 Answers1

0

When you say "timeout" I suspect you're talking about one or more of the following settings:

  • Set time limit for disconnected sessions
  • Set time limit for active but idle Terminal Services sessions
  • Set time limit for active Terminal Services sessions

These settings can be specified on a per-user or per-computer basis, depending on whether you are specifying the settings under the "Computer Configuration" or "User Configuration" node in the GPO.

When you say "...add the local machine too" and "Works for admin..." you make me suspect that you've specified the setting in the "Computer Configuration" node and linked the GPO in such a location as to make it apply to the Terminal Server computer.

If this is the case, I'd unlink the GPOs and re-link them in a location where they will apply to the user accounts you intend them to effect and then modify them to use the per-user settings (under "User Configuration").

Once you've re-linked and modified the content of the GPOs, verify that the permission on the "TS-Timeout" GPO includes "Authenticated Users / Read and Apply Group Policy" and "Administrator / Deny Apply Group Policy". Verify that the "TS-NoTimeout" GPO has the permission "Administrators / Apply Group Policy" (as well as all the default permissions "Administrators" is assigned) and that the default "Authenticated Users" ACL has been removed. I recommend editing the permissions by right-clicking the top node of the GPO in the Group Policy Editor rather than using the "friendly" and much less "standard" permission interface in the Group Policy Management Console.

(If you insist on using the "Administrator" account instead of the "Administrators" group alter my permission recommendations as such. If you have more than one discrete person using the "Administrator" account you're doing it wrong... but that's a rant for another question.)

By using the "Administrators / Deny Apply Group Policy" permission on the "TS-Timeout" GPO you prevent any need to worry about the "priority" of the GP links. Even though the UI will scold you a bit for using "Deny" there's nothing wrong with doing it and, in this case, I think it makes the resultant configuration far more understandable than relying only on the GP link "priority". I also think that modifying the permission serves the intent more clearly-- to make "TS-NoTimeout" apply to "Administrators" and not "Authenticated Users", and for "TS-Timeout" not to apply to "Administrators", regardless of where they are linked.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • @Fernando: To clarify something Evan stated in his answer: If you configure the timeout settings under Computer Configuration in your GPO then the settings apply to the computer and everyone logging on to the computer, regardless of Security Filtering. In addition, if you configure the setting under Computer Configuration AND User Configuration, the Computer Configuration settings take prcedence. – joeqwerty Feb 02 '11 at 11:52
  • Sorry for the delay and thanks for the answer. It worked perfectly. – Fernando Feb 08 '11 at 16:19