GPO don't work with remote desktop

Posted on 2004-03-26
Last Modified: 2010-04-13
I have created a GPO in AD on my W2k Server as follows:
OU=Terminal Services

I have also moved the Terminal server named "pam_dev" (non-DC) into this OU
The Group Policy was created using both Computer/User ADM Templates.

On "pam_dev"  I also added the Group
On the securities tab I also selected the read and apply group on:
Authenticated users
Terminal Server user

What I need is this:
Users log into Pam_dev using remote desktop, I only want them to have access to certain applications which I already specified on the template.  Logoff option only on the start menu which I also specified.

This is not working....what am I not doing correctly or what am I overlooking?????
I need to resolve this today!

Thanks so much.

Question by:kbergery

Expert Comment

ID: 10689974
i have solved it in this way:

associate the GPO to the OU Terminalservices

read+apply the GPO to everyone (so you never forget a user to put into TSE-Group)
deny "apply the GPO" for Domainadmins (so the Domain-Admin is not effected of the GPO)

Attention ! All user are restricted. Only Domain-Admins could use all apps.

If you have associated all, make a
secedit /refreshpolicy machine_policy /enforce
on the terminalserver
LVL 84

Accepted Solution

oBdA earned 500 total points
ID: 10692394
For policies to apply, the target object (user or computer) must reside in (or below) the OU in which the GPO is defined.
So if you have dedicated Terminal Server user accounts, make sure they're under the OU  (it is *not* enough to make a user from another OU member of a security group that is defined in the TS OU).

But using Terminal Services usually requires different settings depending on whether the user logs on to a Terminal Server session or on his desktop.
That's rather easy to do for the computer part, since it's actually two different machines; it's more complicated for the user part, since it's obviously always the same user logging on. If you need/want to have your user accounts in another OU, but still apply different policies for a user he logs on to a Terminal Server, you need the loopback feature.

1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Enabling the Skype for Business Meeting Scheduler in Hybrid OWA
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question