Terminal Server Loopback Policy and Excluding Admin

Question

I have my Terminal Servers (Windows 2k3) in their own OU with their own Group Policy. Loopback "merge" is enabled and everything, in general works OK.

For Computer Configuration, under Policies/Administrative Templates/Windows Components/Terminal Services/Terminal Server/Remote Session Environment I have some settings defined. In particular, "Start a program on connection" which starts the only app they need on the terminal server. Works great. When they exit the app their session ends.

However, I don't want that app to launch when I connect as a Domain Admin. In that scenario, I need the normal TS experience. I visited Delegation -> Advanced for the policy and set "Apply Group Policy" to Deny for Domain Admins. However, that only impacts the User Config, not the Computer Config (verified by gpresult) which is, upon reflected, as I'd expect (right?).

So... what's the proper way to exclude loopback processing for a user or group?

score 2 · Accepted Answer · answered May 16 '11 at 21:58

2

That is a per-computer setting, there isn't really anything you can do at the policy level to change that per user.

One thing you could do. When the admins login they should be able to specify a program to start in their terminal client. Just start explorer.exe.

answered May 16 '11 at 21:58

Zoredache

130,897
41
276
420

Good thought about the work-around. Will definitely give that a shot. – Chris_K May 16 '11 at 22:11

score 1 · Answer 2 · answered May 17 '11 at 02:33

1

Could you create a new group policy and apply it to administrators, when using the loop back set that to replace? That should over write the policy.

answered May 17 '11 at 02:33

Nixphoe

4,584
7
34
52

An intriguing notion but I'm not entirely sure I grasp how to put that together. Can you elaborate a bit more? – Chris_K May 17 '11 at 02:39
You would setup the group policy with the same loopback setting, but set that to replace. After that change Remote Session Environment > Start a program on connection, change that to Disabled. After you have that setup, remove Authenticated Users from the Security Filtering, and add Domain Administrators. Or which ever user/group you want to remove from having that setting apply. Then it should disable the startup programs for that user/group. – Nixphoe May 17 '11 at 02:48

Terminal Server Loopback Policy and Excluding Admin

2 Answers2