Announcement

Collapse
No announcement yet.

Group policy not being applied

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group policy not being applied

    Hi

    I have a terminal services server 2003 in an OU by itself but the lockdown policy applied to this OU isn't (or doesn't appear to be) being applied to the sererv against the computer settings when I log in from a PC remotely - the PC is not part of the domain. In fact NO settings are getting applied.

    I have no other poiclies applied anywhere except the deafult domain policy.

    I have been over and over the settings but can't figure out why.

    I have followed http://support.microsoft.com/kb/260370 method 2 as I would like to also restrict user settings - and applied settings from here
    http://support.microsoft.com/kb/278295.

    Any thoughts or advice how to check out why this is happening.

    The dc is 2003 and is sperate from the TS server.

    Thanks

  • #2
    Re: Group policy not being applied

    Please review:

    http://support.microsoft.com/default.aspx/kb/260370
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Group policy not being applied

      Hi

      That is the document I have been working from - which I have referred to in my query and used method2

      Comment


      • #4
        Re: Group policy not being applied

        I have just tried adding a user to my OU that has the terminal services Server in it and the lockdown policy applied to it and the Group policy settings now seems to be applied.

        I don't really wish to put all the users who can use TS into this OU so how best to ensure that user logging on via TS users get the policy applied.

        any suggestions.

        thanks

        Comment


        • #5
          Re: Group policy not being applied

          I have now removed my test user from this Terminal services OU and going back to basics to find out why the loopback processing isn't working.

          I have now created a new GPO linked to the terminal services OU to just apply the loopback setting as Replace - what should my security filer setting under scope be - it defaults to authenticated users.

          Note my terminal server is in this OU.

          My user settings are now in a seperate GPO also linked to the terminal service OU - what should my security filter settings under scope be here - it too has defaulted to authenticated users.

          is all this coorrect as it doesn't seem to work.

          Comment


          • #6
            Re: Group policy not being applied

            The security filtering is OK. If you're using loopback processing on the TS OU then you don't need to link the users OU GPO to the TS OU (which won't work anyway). Loopback processing tells the GPO engine to use the user settings from the TS OU GPO instead of the GPO linked to the OU where the user object is.

            Try this: Unlink the users GPO from the TS OU. Set loopback mode to replace in the TS OU GPO. Set your lockdown settings in the user configuration section of the TS OU GPO.

            What settings do you have set for the computer and the user? What are you expecting to happen? Are you trying to lockdown the TS server so that when they make an RDP session to the sever their session is locked down?

            Comment


            • #7
              Re: Group policy not being applied

              Hi

              My Terminal servcices users gpo is only linked to my termninal services OU.

              I have a loopback GPO defined and linked to my terminal services OU that now only has the loopback setting enabled to Replace.

              In a seperate GPO in the terminal services ou I have followed http://support.microsoft.com/kb/278295 for lockdown settings
              and work ok if I add the user to the TS OU - but not if I don't -ie the loopback dosen't appear to be applying.

              Comment


              • #8
                Re: Group policy not being applied

                OK, let's break this down:

                1. How many GPO's are linked to the TS OU?

                2. Are your user lockdown settings in one of the GPO's linked to the TS OU?

                3. Is loopback policy processing enabled in the TS OU GPO that you have your user lockdown settings in?

                Comment


                • #9
                  Re: Group policy not being applied

                  Hi

                  1) There are 2 GPO's linked to the Terminals services OU (called loopback and lockdown)

                  2) Yes - the second (lockdown)

                  3) No - its in the first and the only computer setting

                  Comment


                  • #10
                    Re: Group policy not being applied

                    That's the problem then, if I'm not mistaken. The loopback setting has to be enabled in the GPO where the lockdown settings are.

                    Loopback processing says: "Use the user settings in the GPO where I'm enabled instead of the normal user settings".

                    What you have is one GPO with the lockdown settings and a different GPO with the loopback setting. Your loopback GPO is empty except for the loopback setting itself, so it has no user settings to apply. The policy where your loopback setting is enabled is the one that is trying to set the user settings, but your settings are in another GPO, which is not how loopback processing works.

                    You need to move the loopback setting to the lockdown GPO. After that it should work for you.

                    Comment


                    • #11
                      Re: Group policy not being applied

                      Hi

                      I will try that combination - but think I have already - and it didn't work so I followed http://technet.microsoft.com/en-us/l...27(WS.10).aspx which suggested using 2 GPO's

                      Will report back when I have retried

                      Thanks

                      Comment


                      • #12
                        Re: Group policy not being applied

                        Hmmm... I've never seen that article before. Let me know how my suggestion works.

                        Comment


                        • #13
                          Re: Group policy not being applied

                          That seems to work OK now for user settings but not computer settings

                          any suggestions?

                          Comment


                          • #14
                            Re: Group policy not being applied

                            There's no such thing as loopback policy processing for computer settings. Furthermore, computer settings aren't applied to users.

                            In any and every GPO there are two sets of settings: computer settings and user settings. Computer settings are applied to computers where the GPO is linked and user settings are applied to users where the GPO is linked. Loopback policy processing tells GP to apply the user settings from the GPO linked to the computer to apply to the user instead of or in addition to the users normal GPO settings from the GPO linked to where there user account is, but it still applies only user settings to users.

                            GP can be confusing, but in a nutshell:

                            1. Computer settings apply to computers

                            2. User settings apply to users

                            3. Loopback policy processing determines which USER settings get applied to the user.

                            4. Loopback policy processing is not applicable or relevant to computer settings

                            http://technet.microsoft.com/en-us/l...10(WS.10).aspx

                            Comment

                            Working...
                            X