I have a Terminal Server, that'll be used by many people, but for different purposes. Our program consists of 2 parts, let's call them user-part and manager-part. That are 2 different .exe-files. I want the program to be run automatically when the user logs on (I know how to do it via GPO). But I want to vary application based on the user's role. Of course, I want to control these roles with 2 domain groups like "TS-Users" and "TS-Managers".
I am finding the most efficient way to achieve that goal. Can someone share his experience in such a question? The server is W2K2003 in 2003-level domain.
No problem.
Create two global security groups in the Active Directory, say "TS-Users" and "TS-Managers".
Create and link three (3) Group Policy objects in the OU that, ideally, only the terminal server computer is located in. Name them "Loopback GPO Processing and Common User Settings", "TS-Users Settings", and "TS-Managers Settings".
In the GPO "Loopback GPO Processing and Common User Settings", open the "Comptuer Configuration" node, the "Administrative Templates" node, the "System" node, and the "Group Policy" node and enable the policy titled "User Group Policy loopback processing mode". If you want other user GPO settings set in other places in the directory to apply to users when they logon to this machine, choose "Merge" in the "Mode" box. If you want only the user settings in these three GPOs to apply, choose "Replace". Also set in this GPO any "User Configuration" settings that you'd like to be common between these users.
In the GPO's "TS-Users Settings" and "TS-Managers Settings", set the various settings needed for each of these groups. In the Group Policy editor, open the "Properties" for the root node of the group policy and navigate to the "Security" tab. Remove "Authenticated USers" from the permission on each policy and add the appropriate AD group that you created above with "Read' and "Apply Group Poliy" permission. Do that for each of these GPOs. (This will prevent the settings from applying to users who are of the "wrong" group.)
Finally, reboot the Terminal Server computer so that it enters Loopback Group Policy processing mode (which is only toggled on boot).
You should see the settings from each of these GPOs applying. The "Loopback GPO Processing and Common User Settings" user settings will apply no matter who logs-on. The "TS-Users Settings" user settings will apply only when a member of the "TS-Users" group logs on, and the same will work for "TS-Managers".
That's a quick crash course in Loopback Group Policy processing and filtering of group policy application by security group. We do this all the time to do what you're describing. It might take a bit of study for you to wrap your mind around it, but give it a shot. A practical upside is that you can "simulate" this by using an OU with a Windows XP machine in it with "Remote Desktop" enabled so that you can stage the policies and test them (albeit one user at a time) until you're ready to link the GPOs to the real OU where your Terminal Server computer "lives".