Announcement

Collapse
No announcement yet.

GPO applied but not taking effect

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO applied but not taking effect

    I am testing Terminal server HOST (RDS 2012).
    Particularly, LOCKDOWN settings for Remote Users.
    Found nice article with the list of settings to apply and clear description.
    So first thing: Loopback is enabled. Then configured the stuff like no access to CP, hide C: drive and etc...

    GPO is properly applied - checked when user is logged in to the TS. User config part shows LOCKDOWN_policyname. That for me means Loopback applied user settings of User part of GPO applied on OU where TS servers resides.

    Then checked Resultant in GPMC. No errors, everything looks nice but no effect on logged in user. When logged in can access CP and see restricted drives.

    What I could miss?...

    Thanks.
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Have you tried running 'gpudate /force' and then rebooting the TS server and trying the user login again?
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Sure, did it 26 times
      See a screen shot. Looks like LOOPBACK policy does a perfect job GPRESULT -R
      on left: domain user on local computer
      on right: the same user connected to RDSH server.
      Loopback is in Replace mode.
      RDS Server LockDOWN GPO applied to RDSH server appears in User Settings part.
      Local OS is Windows 7 (French). Remote Session to Server 2012 R2 En.
      The GPO is applied to Terminal Server HOST (RDS2012 R2) OU. It includes User Settings that should be applied to Users by LOOPBACK setting.
      For me the fact that I can see the GPO in the Applied list of User Settings means that it is applied.
      Am I the first in the world with no settings applied when GPO is applied . Weird...
      Attached Files
      Last edited by mla; 7th October 2015, 22:07. Reason: added attachment
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

      Comment


      • #4
        the problem found....
        There is one GPO that appears corrupted. This GPO has tons of settings and generally does the job (it is critical for organization).
        It's not me who is responsible for it. So I didn't want to touch it at all.
        And I clearly saw that my GPO is applied....
        Brief, I found that one corrupted GPO can prevent others to take effect...
        Here is the error by GPO SID I know now what is this. I temporary disabled it ... and bingo...
        **************************************************
        Microsoft Windows [Version 6.3.9600]
        (c) 2013 Microsoft Corporation. All rights reserved.
        C:\Windows\system32>gpupdate /force
        Updating policy...
        Computer Policy update has completed successfully.
        User Policy could not be updated successfully. The following errors were encount
        ered:
        The processing of Group Policy failed. Windows could not apply the registry-base
        d policy settings for the Group Policy object LDAP://CN=User,cn={DD0BC53F-5DEC-4
        247-B308-56445BF44BAB},cn=policies,cn=system,DC=xxxxxxx,DC= xxxxx,DC
        =xx,DC=xx. Group Policy settings will not be resolved until this event is resolv
        ed. View the event details for more information on the file name and path that c
        aused the failure.
        To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
        rom the command line to access information about Group Policy results.
        C:\Windows\system32>^A
        "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

        Comment


        • #5
          Glad to see you found it, and thanks for letting the world know.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment

          Working...
          X