brownmetals
asked on
Proxy Settings via Group Policy for Remote Desktop Clients
Hi there.
I have a Windows 2008 R2 Standard server that will be hosting Remote Desktop sessions for 20 thin clients. The thin client machines are using the Remote Desktop Connection app to connect to the Windows 2008 RDS server to obtain their desktop. The user environment for each thin client is controlled by Group Policy on the domain controller (Windows 2008 SBS Premium). While all the other GPO settings seem to take effect, the proxy settings for Internet Explorer seem to be ignored. Here is the process I have used for attempting to apply the proxy settings to each Remote Desktop session.
On Windows 2008 SBS machine (Domain Controller).
Group Policy Object for thin clients > User Config > Policies > Windows Settings > Internet Explorer Maintenance > Connection / Proxy Settings > Enable Proxy Settings > IP Address and Port settings are entered.
C:\gpupdate /force
Once this is completed, I complete the same command from the Windows 2008 R2 RDS Server, the machine that provides the desktop for each thin client. The thin client is then logged back on using RDP, but the proxy settings in the GPO do not seem to work.
What am I missing? Any other suggestions on to best tackle this setting?
Thank you,
J
I have a Windows 2008 R2 Standard server that will be hosting Remote Desktop sessions for 20 thin clients. The thin client machines are using the Remote Desktop Connection app to connect to the Windows 2008 RDS server to obtain their desktop. The user environment for each thin client is controlled by Group Policy on the domain controller (Windows 2008 SBS Premium). While all the other GPO settings seem to take effect, the proxy settings for Internet Explorer seem to be ignored. Here is the process I have used for attempting to apply the proxy settings to each Remote Desktop session.
On Windows 2008 SBS machine (Domain Controller).
Group Policy Object for thin clients > User Config > Policies > Windows Settings > Internet Explorer Maintenance > Connection / Proxy Settings > Enable Proxy Settings > IP Address and Port settings are entered.
C:\gpupdate /force
Once this is completed, I complete the same command from the Windows 2008 R2 RDS Server, the machine that provides the desktop for each thin client. The thin client is then logged back on using RDP, but the proxy settings in the GPO do not seem to work.
What am I missing? Any other suggestions on to best tackle this setting?
Thank you,
J
penguinjas
You need to enable loop back processing on the group policy you are using for user policies to work on user accounts logging into the server.
ASKER
I found that setting here:
1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
I made that change, ran a gpupdate on the DC, a gpupdate on the RDS Server, logged the thin client off and back on again, and still no proxy settings.
Just to be sure.....do I need to logoff of the servers each time I perform a gpupdate or is performing the gpupdate command enough to ensure the changes have taken affect?
Thanks,
J
1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.
I made that change, ran a gpupdate on the DC, a gpupdate on the RDS Server, logged the thin client off and back on again, and still no proxy settings.
Just to be sure.....do I need to logoff of the servers each time I perform a gpupdate or is performing the gpupdate command enough to ensure the changes have taken affect?
Thanks,
J
So you set this below?
User Group Policy loopback processing mode Enabled
Mode: Replace
And under the details TAB for "GPO Status" it says enabled?
and under Scope it says what under security filtering? I believe default is authenticated users.
And the server is in the OU where you applied this Group Policy?
Also, depending on how many DC's you have it may help to do a replication in SItes and Services. Not every change in AD is replicated immediately after you make it.
User Group Policy loopback processing mode Enabled
Mode: Replace
And under the details TAB for "GPO Status" it says enabled?
and under Scope it says what under security filtering? I believe default is authenticated users.
And the server is in the OU where you applied this Group Policy?
Also, depending on how many DC's you have it may help to do a replication in SItes and Services. Not every change in AD is replicated immediately after you make it.
ASKER
User Group Policy loopback processing mode Enabled - YES
Mode: Replace - YES
And under the details TAB for "GPO Status" it says enabled? - YES
I have an OU called "Warehouse Users" which holds the GPO that I'm updating. Security filtering is setup for the "Warehouse Users Security Group" user group only. The thin client is logging on using a user that is a member of the "Warehouse Users Security Group." All of the settings are being applied correctly using this GPO except for the Proxy settings. I've even used the Group Policy Modeling Wizard to verify that this GPO is the only one being applied to this user group.
The Remote Desktop Server is contained in it's own OU called "Remote Desktop Server." The DC is a SBS box on a small network, so there is no replication to other servers.
Any other suggestions? I appreciate the feedback.
Thanks,
J
Mode: Replace - YES
And under the details TAB for "GPO Status" it says enabled? - YES
I have an OU called "Warehouse Users" which holds the GPO that I'm updating. Security filtering is setup for the "Warehouse Users Security Group" user group only. The thin client is logging on using a user that is a member of the "Warehouse Users Security Group." All of the settings are being applied correctly using this GPO except for the Proxy settings. I've even used the Group Policy Modeling Wizard to verify that this GPO is the only one being applied to this user group.
The Remote Desktop Server is contained in it's own OU called "Remote Desktop Server." The DC is a SBS box on a small network, so there is no replication to other servers.
Any other suggestions? I appreciate the feedback.
Thanks,
J
This setting - User Group Policy loopback processing mode Enabled, is a computer configuration setting and needs to be set on the OU where the server exists, not the user.
In fact the entire GPO you are specifying should be linked to the OU with the server not the users. By having the GPO somewhere else you may end up modifying settings for users in that group all the time, not just when they logon to the RDP server.
In fact the entire GPO you are specifying should be linked to the OU with the server not the users. By having the GPO somewhere else you may end up modifying settings for users in that group all the time, not just when they logon to the RDP server.
ASKER
I have an OU called Warehouse Users. The GPO for setting all of the settings for these users is linked here. These users are exclusively RDS users (they have no other way to logon), so I always want to modify their settings when they log on to the RDS server.
I've tried moving my Warehouse OU contents to the same OU as the RDS Server. When I did that, the clients settings did not take affect as expected. All of the settings I had disabled were enabled again under these circumstances.
When the RDS Server is in its own OU and the users are in their own OU, all of the settings work EXCEPT for being able to specify the Proxy Server in Internet Explorer. I guess I don't understand why all of the other settings would take affect, but the Proxy Settings won't. Can you provide a more detailed explanation as to why you believe the loopback processing is the answer? Is there additional info that also may be helpful?
Thanks,
J
I've tried moving my Warehouse OU contents to the same OU as the RDS Server. When I did that, the clients settings did not take affect as expected. All of the settings I had disabled were enabled again under these circumstances.
When the RDS Server is in its own OU and the users are in their own OU, all of the settings work EXCEPT for being able to specify the Proxy Server in Internet Explorer. I guess I don't understand why all of the other settings would take affect, but the Proxy Settings won't. Can you provide a more detailed explanation as to why you believe the loopback processing is the answer? Is there additional info that also may be helpful?
Thanks,
J
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After further troubleshooting and taking into account your suggestions, I'm still a little baffled by this setup. The only way I could get ALL GPO settings to apply was to put the RDS Server, the Security Group, and the Users ALL in a single OU. If the User is in an OU called Warehouse, and everything else is in an OU called RDS Server, the GPO settings do not take affect even when loopback processing is enabled. Being required to put the server, the groups, and the users ALL in a single OU to get this to work doesn't seem like that's the only way it should work.
I did find out that the Group Policy for our domain (Windows 2008 Small Business Server box) is running at a Windows 2003 Functional Level (this SBS 2008 box was migrated from SBS 203). The RDS Server is a Windows 2008 R2 server. I'm wondering if the functional level or another limitation of SBS is preventing these settings from applying the way I'd expect them to if you separate any of the items out into its own OU. Any thoughts on the functional level or SBS limitations?
Thank you!
I did find out that the Group Policy for our domain (Windows 2008 Small Business Server box) is running at a Windows 2003 Functional Level (this SBS 2008 box was migrated from SBS 203). The RDS Server is a Windows 2008 R2 server. I'm wondering if the functional level or another limitation of SBS is preventing these settings from applying the way I'd expect them to if you separate any of the items out into its own OU. Any thoughts on the functional level or SBS limitations?
Thank you!
For question 1 - You should not need to move everything into the single OU. Only the RDS server. Blocking policy inheritance of the OU that contains the RDS server could help. It really depends on what RSOP results are for the policy in question. Also try adding the RDS server itself to the security filtering.
For Question 2 - I believe it will depend on what policy you are trying to implement. I know loop back is avaiable but anything specific to R2 will not be available as a group policy setting.
For Question 2 - I believe it will depend on what policy you are trying to implement. I know loop back is avaiable but anything specific to R2 will not be available as a group policy setting.
ASKER
The only way I've been able to get this to work is to put the RDS Server, the Security Groups, and the Users all in the same OU. Once I did that, all GPOs apply properly. In working with my consultant, we've come to the conclusion that this limitation is either due to the limitations of Small Business Server (my DC) or the fact that the Domain Function Level on the DC is Windows 2003 while the RDS Server (Win 2008 R2) is at Windows 2008 R2. At either rate, I'm willing to work with this work around.
Thanks again for your input.
J
Thanks again for your input.
J