I have two separate sets of policy.
Users > Staff
Users > Students
Computers > Terminal Servers > Staff (Loopback)
Computers > Terminal Servers > Students (Loopback)
As regards different start menus for specific parts of the site - no. Most software is accross site. Yes there will be some "dead links" but there arent many.
Ive tried GPP for start menus, but it does add to the logon/startup time. As ours dont change much - and we can roll out changes either by script of SCCM, there are better ways of managing it.
Right...you need a combo approach.
Add the Machine with "Apply GP" permisssion, and also add the User Group with "Apply GP" permission. Authenticated users should only have "Read" not the "Apply GP" permission. Youve reminded me to finsih the article with screenshots for you and the other emailers!
I hope that makes sense....
Delegation tab > Click Advanced. Change the permissions here only!
@TheScarfedOne well I tried and failed miserably in my attempt to do this.
I set up my replace policy to be blank (because I wanted to remove all the mandatory profile settings for if I need to log on as an administrator), so removed the apply group policy setting from authenticated users and then added my user and ticked apply group policy and then did gpupdate /force, left it overnight and logged on this morning and it applied all the group policy settings again.
GPMC shows when I run a report that it didn't apply the policy because of Access Denied.
Can you think of anything obvious I might have missed?
Edit: Well, I've made some progress. If I add the server with the ability to apply the group policy then the Replace policy kicks in to effect, however it then applies to everybody. If I remove the server then it applies to nobocy (presumably the replace part of the group policy). I can't work out how I just get the loopback to apply to users who have apply policy permission though, it seems to be an all or nothing thing for me.
Our school is a good example of exactly that : we have dedicated systems for media which are of very high specifications (mostly Core i5, 4GB ram min, dedicated scratch disks). People do want to do a couple of things on other machines and more basic editing like Movie Maker goes on on other stations but that's never an excuse for spending school's money unwisely. £300 will get a school a system that will do these tasks fine and still leave enough room for Call of Duty - very rarely is a case for mainstream computers to go much over that requirement!
The interesting thing with it is that people use that excuse that "media" is done all over the school, but that begs the question: What constitutes as media?
To me media is kids going around making videos with digital cameras, of a decent quality, then editing the video files into some sort of movie or presentation, maybe with sounds and/or graphics added on. What worries me is that people are considering media to be the lesser form of that, in other words kids going around with little digital cameras that make small 10mb video files then making little videos in movie maker (like our geography and PE departments do), the school would call that media as a lesson but i wouldn't use the term media towards speccing a PC if that was the best they were used for. Bit of a minefield really though, no one will ever freely accept they're wrong....me included
Unfortunately true - whilst in most cases overspeccing can be of use when they do it for machines that will never see more action than perhaps 4 Word windows at once, it makes you want to ask these people what on earth they are doing in that job - unless they're earning cashback from suppliers on the naughty!
Value is a bit of a moot point when people will happily **** money up the wall on over specced over priced PCs instead, on occasion on these very forums. Though i won't get into "that" whinge...again.
Your posts are fantastic and really useful (adapted a couple with use of the VMware guide, but just read your last blog and think I may alter it so it matches up to what you've got again)!
Thanks for the info regarding delegation rather then security - guess what I'll be testing on Tuesday?
Will let you know how I get on!
Look forward to the exports then, I'm at this
stage but had issues with the shell and how to log off cleanly.
Not really no. The only issue I sometimes see is a failed launch of the Rdp file resulting in a blank screen. Loopback is used to prevent the full user settings applying to the thin pc. It doesn't need to, as the Rdp session is what they actually use. I will be posting the actual group policy exports next week
Hey pal, do you notice any issues with logging on twice, ie performance related to group policy processing on the thin pc's and then again on the rds session hosts? (or did you make use of any loopback processing)
This article has now been updated Remote Desktop for Thin Client… Part 2! - Blogs - EduGeek.net
Sorry @Cache - I wasnt getting notifications on blog comments. Now sorted (I think - with ZH). Right...your questions...
Yep... the security filtering is something that is so often done wrong. DO NOT mess with the Security Filtering section on the Scope tab. Instead, use the delegation tab to and edit the settings here. Remove the Checkbox for Apply GPO settings for Authenticated users, and then add the usergroup you want and ensure that check box is set. I will do a blog post with screenies as its one Ive seen a few times...
Ive not seen the Run in users context used before...I generally dont use it. Will look it up (and poke the GPO and RDS team at MSFT to get an answer for you).
Finally...many thanks for using my posts. I hope they have been useful. If you have any suggestions for more topics...please let me know. Im trying to post as much as possible about the setup to help others.
haha you want some of my blackice that has taken over on the roads from snow
Send some snow my way John!
I did ask the engineer wether or not we could give the Call Server multiple IP addresses (from the two different subnets), but was told no. However, he did inform me that they working on the ability to plug the box into multiple VLANs but wasn't quite ready yet!
Well we have had some snow and I have used the Winter Tyres and they are great they are some real beasts, they are Cooper Discoverer M+S2's and they were great on the hills the other day felt solid as a rock and very stable, car park at work that no-one dares park in when it snows as you cannot get out of it easily was no issues for me. Obviosuly my driving in the snow isn't as quick or as "sporty" as I am in the summer (Im not one of these that thinks I can now do 70 on a snowy road like I can in summer) but I can make better pace on them than I could the summer tyres
as for Gareths 2WD Kuga They do my car (VW Tiguan) in a 2WD model, its just wrong! It shouldn't be sold without being a 4 Wheel Drive vehicle, yet people want a posey 4x4 style vehicle but don't want 4x4 costs or weight so manufacturers make them. A Ford Kuga 4 wheel drive model (assume Ford make one as they look a similar vehicle to the Tiguan so do wonder if there is some sharing going on there!) will probably be much better for you.
Can you not multihome the VOIP system across multiple VLANs, not as good but might be a possibility.
we had something similar happen with a batch of NEC 100 projectors. Changed lamps, connectors, everything we could think of. It was ultimately a fault with the projector so had to be returned for repair and replacement. Might be worth contacting the supplier?
I think I'll stick the the idealistic simplicity of Gamzee.