• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

GPO don't work with remote desktop

I have created a GPO in AD on my W2k Server as follows:
OU=Terminal Services

I have also moved the Terminal server named "pam_dev" (non-DC) into this OU
The Group Policy was created using both Computer/User ADM Templates.

On "pam_dev"  I also added the Group
On the securities tab I also selected the read and apply group on:
Authenticated users
Terminal Server user

What I need is this:
Users log into Pam_dev using remote desktop, I only want them to have access to certain applications which I already specified on the template.  Logoff option only on the start menu which I also specified.

This is not working....what am I not doing correctly or what am I overlooking?????
I need to resolve this today!

Thanks so much.

1 Solution
i have solved it in this way:

associate the GPO to the OU Terminalservices

read+apply the GPO to everyone (so you never forget a user to put into TSE-Group)
deny "apply the GPO" for Domainadmins (so the Domain-Admin is not effected of the GPO)

Attention ! All user are restricted. Only Domain-Admins could use all apps.

If you have associated all, make a
secedit /refreshpolicy machine_policy /enforce
on the terminalserver
For policies to apply, the target object (user or computer) must reside in (or below) the OU in which the GPO is defined.
So if you have dedicated Terminal Server user accounts, make sure they're under the OU  (it is *not* enough to make a user from another OU member of a security group that is defined in the TS OU).

But using Terminal Services usually requires different settings depending on whether the user logs on to a Terminal Server session or on his desktop.
That's rather easy to do for the computer part, since it's actually two different machines; it's more complicated for the user part, since it's obviously always the same user logging on. If you need/want to have your user accounts in another OU, but still apply different policies for a user he logs on to a Terminal Server, you need the loopback feature.

1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now