GPO don't work with remote desktop

Posted on 2004-03-26
Last Modified: 2010-04-13
I have created a GPO in AD on my W2k Server as follows:
OU=Terminal Services

I have also moved the Terminal server named "pam_dev" (non-DC) into this OU
The Group Policy was created using both Computer/User ADM Templates.

On "pam_dev"  I also added the Group
On the securities tab I also selected the read and apply group on:
Authenticated users
Terminal Server user

What I need is this:
Users log into Pam_dev using remote desktop, I only want them to have access to certain applications which I already specified on the template.  Logoff option only on the start menu which I also specified.

This is not working....what am I not doing correctly or what am I overlooking?????
I need to resolve this today!

Thanks so much.

Question by:kbergery

Expert Comment

ID: 10689974
i have solved it in this way:

associate the GPO to the OU Terminalservices

read+apply the GPO to everyone (so you never forget a user to put into TSE-Group)
deny "apply the GPO" for Domainadmins (so the Domain-Admin is not effected of the GPO)

Attention ! All user are restricted. Only Domain-Admins could use all apps.

If you have associated all, make a
secedit /refreshpolicy machine_policy /enforce
on the terminalserver
LVL 83

Accepted Solution

oBdA earned 500 total points
ID: 10692394
For policies to apply, the target object (user or computer) must reside in (or below) the OU in which the GPO is defined.
So if you have dedicated Terminal Server user accounts, make sure they're under the OU  (it is *not* enough to make a user from another OU member of a security group that is defined in the TS OU).

But using Terminal Services usually requires different settings depending on whether the user logs on to a Terminal Server session or on his desktop.
That's rather easy to do for the computer part, since it's actually two different machines; it's more complicated for the user part, since it's obviously always the same user logging on. If you need/want to have your user accounts in another OU, but still apply different policies for a user he logs on to a Terminal Server, you need the loopback feature.

1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question