Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


GPO don't work with remote desktop

Posted on 2004-03-26
Medium Priority
Last Modified: 2010-04-13
I have created a GPO in AD on my W2k Server as follows:
OU=Terminal Services

I have also moved the Terminal server named "pam_dev" (non-DC) into this OU
The Group Policy was created using both Computer/User ADM Templates.

On "pam_dev"  I also added the Group
On the securities tab I also selected the read and apply group on:
Authenticated users
Terminal Server user

What I need is this:
Users log into Pam_dev using remote desktop, I only want them to have access to certain applications which I already specified on the template.  Logoff option only on the start menu which I also specified.

This is not working....what am I not doing correctly or what am I overlooking?????
I need to resolve this today!

Thanks so much.

Question by:kbergery
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 10689974
i have solved it in this way:

associate the GPO to the OU Terminalservices

read+apply the GPO to everyone (so you never forget a user to put into TSE-Group)
deny "apply the GPO" for Domainadmins (so the Domain-Admin is not effected of the GPO)

Attention ! All user are restricted. Only Domain-Admins could use all apps.

If you have associated all, make a
secedit /refreshpolicy machine_policy /enforce
on the terminalserver
LVL 85

Accepted Solution

oBdA earned 2000 total points
ID: 10692394
For policies to apply, the target object (user or computer) must reside in (or below) the OU in which the GPO is defined.
So if you have dedicated Terminal Server user accounts, make sure they're under the OU  (it is *not* enough to make a user from another OU member of a security group that is defined in the TS OU).

But using Terminal Services usually requires different settings depending on whether the user logs on to a Terminal Server session or on his desktop.
That's rather easy to do for the computer part, since it's actually two different machines; it's more complicated for the user part, since it's obviously always the same user logging on. If you need/want to have your user accounts in another OU, but still apply different policies for a user he logs on to a Terminal Server, you need the loopback feature.

1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...

Loopback Processing of Group Policy

How to Apply Group Policy Objects to Terminal Services Servers

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
WooCommerce is becoming the most powerful e-commerce plugin for Wordpress. And why not. The platform comprises of numerous core plugins that may come in handy, powerful options to make your website development task much easier.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question