Announcement

Collapse
No announcement yet.

Polices under terminal services

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Polices under terminal services

    Morning all,

    I have a slight problem with polices in terminal services.

    What ever user I logon with no policy settings are applied? But if I logon a normal workstation as a user which is in a policy it works fine?

    Can any one suggest any thing to look at.

    Thanks
    Simon
    Kind Regards,
    Simon

  • #2
    Re: Polices under terminal services

    Sorry, Si_Pe, but I am not sure I understand.
    Can you please rephrase your question?

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: Polices under terminal services

      Hi sorry,

      I have a user in a OU which is policy settings applied to it. When I logon to any of our terminal server the user has full access and isn't locked down at all. But If I log the same user on a workstation the user is locked down as per the policy.

      Hope this is better

      Thanks!
      Kind Regards,
      Simon

      Comment


      • #4
        Re: Polices under terminal services

        Hi, Simon.
        Now the picture is clearer.
        First, in every case you need to debug a GPO issue, you should check the policies that are effective on the user, on the specific machine.
        To achieve this, you can use the gpresult command, or the RSOP snap-in for MMC.
        Having this, you can start solving the problem. From what you are saying, there might be some directions I will look:
        - the servers have not refreshed the policies. Solution: run gpupdate /force at the command line of the servers;
        - the servers and the workstations are in different OUs, and the GPO is not linked to both of them. Solution: Link it;
        - the servers are somehow filtered out by a Security Filter setting. Solution: (will see about that).
        So, your homeworks for today:
        1. Run one of the methods mentioned above to see what is going on on the servers and workstations. Use gpresult > c:\policies.txt to save the output in a file. Compare the two files, you might be surprised to see they are no the same.
        2. Please give us a screenshot of your GPO setting (where it is linked and how). Erase details from the screenshot that you don't want public.

        Good luck.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: Polices under terminal services

          Many thanks for your reply!

          I will get on the case now.

          Thanks
          Simon
          Kind Regards,
          Simon

          Comment


          • #6
            Re: Polices under terminal services

            BTW, it will be nice if you could give us some background details about your environment:
            - what servers are you using? OS, not hardware;
            - what do you use as stations.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: Polices under terminal services

              Originally posted by sorinso View Post
              Hi, Simon.
              Now the picture is clearer.
              First, in every case you need to debug a GPO issue, you should check the policies that are effective on the user, on the specific machine.
              To achieve this, you can use the gpresult command, or the RSOP snap-in for MMC.
              Having this, you can start solving the problem. From what you are saying, there might be some directions I will look:
              - the servers have not refreshed the policies. Solution: run gpupdate /force at the command line of the servers;
              - the servers and the workstations are in different OUs, and the GPO is not linked to both of them. Solution: Link it;
              - the servers are somehow filtered out by a Security Filter setting. Solution: (will see about that).
              So, your homeworks for today:
              1. Run one of the methods mentioned above to see what is going on on the servers and workstations. Use gpresult > c:\policies.txt to save the output in a file. Compare the two files, you might be surprised to see they are no the same.
              2. Please give us a screenshot of your GPO setting (where it is linked and how). Erase details from the screenshot that you don't want public.

              Good luck.
              Hello,

              Sorry I should have made it clear what o/s I am using.

              We are running 2k advance server and a mixture of xp and 2k clients.

              Will secedit do the job for refreshing on the server side still?

              Thanks
              Si
              Kind Regards,
              Simon

              Comment


              • #8
                Re: Polices under terminal services

                S**t!! I hate assuming so much !!

                Sorry.
                To refresh policies in Windows 2000 Server you need to run two commands:
                - secedit /refreshpolicy machine_policy to refresh the Computer Settings branch;
                - secedit /refreshpolicy user_policy to refresh the User Settings branch.

                I would use the /enforce parameter, to be certain it will read again the policy. Are you aware of the fact that not every setting in GPO will run on Windows2000?

                Sorin Solomon


                In order to succeed, your desire for success should be greater than your fear of failure.
                -

                Comment


                • #9
                  Re: Polices under terminal services

                  Originally posted by sorinso View Post
                  S**t!! I hate assuming so much !!

                  Sorry.
                  To refresh policies in Windows 2000 Server you need to run two commands:
                  - secedit /refreshpolicy machine_policy to refresh the Computer Settings branch;
                  - secedit /refreshpolicy user_policy to refresh the User Settings branch.

                  I would use the /enforce parameter, to be certain it will read again the policy. Are you aware of the fact that not every setting in GPO will run on Windows2000?
                  My fault, Wish we were in a 2003 domain!

                  we obviously don't have linked gpo's or anything. The user is in the OU that has the policy settings in.

                  IS there anything else?

                  Many thanks
                  Kind Regards,
                  Simon

                  Comment


                  • #10
                    Re: Polices under terminal services

                    Dear Simon,
                    IS there anything else?

                    OK, hold your horses. Let's go back to square one.
                    You have Windows 2000 Advanced servers (the number is irrelevant) running TS. Users are logging on from mixed Windows2000 Professional and WindowsXP workstations.
                    Somehow, when you login to a server, a user has no limits at all. But when you login with the same user into a workstation, it does.
                    OK till now?

                    Now, can you please tell us what did you do? How did you define the Group Policy, where it is linked... you know, things like that.

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment


                    • #11
                      Re: Polices under terminal services

                      Originally posted by sorinso View Post
                      Dear Simon,
                      IS there anything else?

                      OK, hold your horses. Let's go back to square one.
                      You have Windows 2000 Advanced servers (the number is irrelevant) running TS. Users are logging on from mixed Windows2000 Professional and WindowsXP workstations.
                      Somehow, when you login to a server, a user has no limits at all. But when you login with the same user into a workstation, it does.
                      OK till now?

                      Now, can you please tell us what did you do? How did you define the Group Policy, where it is linked... you know, things like that.
                      Word perfect!!

                      I created a new OU and a new user and a new policy for that ou, I have only added things like add logoff to the start menu and remove the shutdown button. But when I logon to a client they are all ok but not when on to the terminal server? All the policy settings were done for the user not the computer? Thats right isn't i? Thats what I have done for all the other policy's which work fine.. Also the user is only a member of domain users nothing else.

                      Thanks for your help!
                      Last edited by Si_Pe; 24th January 2007, 17:01.
                      Kind Regards,
                      Simon

                      Comment


                      • #12
                        Re: Polices under terminal services

                        Can you give us please a schema of your AD? A drawing or a textual description...
                        Like in which OU is the user, where are the stations, where are the servers. To which OU you have linked the GPO?

                        Sorin Solomon


                        In order to succeed, your desire for success should be greater than your fear of failure.
                        -

                        Comment


                        • #13
                          Re: Polices under terminal services

                          Hello all,

                          Just to let you know that I have fixed the issue that I was having and as normal with policy and ad issues it was a DNS issue.

                          Many thanks for your help!

                          Simon
                          Kind Regards,
                          Simon

                          Comment


                          • #14
                            Re: Polices under terminal services

                            Thank you for coming back and update the forum.
                            And there's no "normal" in computers

                            Sorin Solomon


                            In order to succeed, your desire for success should be greater than your fear of failure.
                            -

                            Comment


                            • #15
                              Re: Polices under terminal services

                              It would be interesting to know, how did DNS cause the issue?

                              Comment

                              Working...
                              X