Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

Why can't I get group policy to work in a cluster???????????

This is what I have done:
1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...
0
kbergery
Asked:
kbergery
  • 18
  • 17
1 Solution
 
jdeclueCommented:
Couple of questions first.

Your question is regarding a Cluster? You are running Terminal Services on the Cluster?

As far as GPO, you think everything is set up properly but it does not affect the users when loggin into Terminal Services?

What does happen, the user account recieves the GPO from their OU but do not change the GPO when they login to the Terminal Services?

There is no GPO applied?

Try to explain a bit more.

This is suppose to work. You create a single GPO (Computer Configuration) and set it to Loopback Enabled. Then you would select either Merge or Replace. After that is created you create a GPO in the same container (OU)
0
 
kbergeryAuthor Commented:
Hey,
Thank you so very much for getting back to me....I need to have this done today.
OK....
It is a Veritas Cluster Config, Yes they login thru TS....what they see is everything you would as if you logged into the box.  For instance, I want to disable "shutdown" option but it's still on the start menu.  Therefore, I don't think it's applying and I can't figure out why for the life of me.  
0
 
jdeclueCommented:
Ok on the OU that the Terminal Server is in, you have created a Computer Configuration GPO that has the Administrative Template for Loopback set too Merge or Replace?

J
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
kbergeryAuthor Commented:
Yes...the following:
TS_Cluster = OU
Group Policy
Loopback - no override
RDP - no override

With in the OU I created a group for users in which the GP is applied to also Loquat and mulberry (servers in cluster)

The cluster name is "currant"  
I've tested loggin into TS using "currant" then I tried the individual boxes and still don't work.
0
 
jdeclueCommented:
When you set the Loopback policy to enable, you had a choice of Merge or Replace, which one did you choose?
0
 
kbergeryAuthor Commented:
Replace
0
 
jdeclueCommented:
Go to the server and run gpresults from the command prompt. Please post the results here.

J
0
 
jdeclueCommented:
sorry that is "gpresult" no s.

J
0
 
kbergeryAuthor Commented:
Created on Tuesday, August 17, 2004 at 2:41:22 PM


Operating System Information:

Operating System Type:          Server
Operating System Version:       5.0.2195.Service Pack 4
Terminal Server Mode:           Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:        C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

        FARMCREDIT\Domain Admins
        \Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        \LOCAL
        FARMCREDIT\HR
        FARMCREDIT\Group Policy Creator Owners
        FARMCREDIT\students
        FARMCREDIT\Enterprise Admins
        FARMCREDIT\helpadmin
        FARMCREDIT\Schema Admins
        FARMCREDIT\helpdesk
        FARMCREDIT\developers
        FARMCREDIT\installers
        FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,CN=Computers,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        FARMCREDIT\MULBERRY$
        FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 2:25:
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
 
kbergeryAuthor Commented:
Hey
Disregard that...I'll resend
0
 
jdeclueCommented:
Go to the command prompt and type "secedit /?", then follow the instructions to force computer and user policies on your machine. Only default policy has been applied.

J
0
 
jdeclueCommented:
ok
0
 
kbergeryAuthor Commented:
Hey
I ran secedit /refreshpolicy machine_policy /enforce
and still the same results
0
 
kbergeryAuthor Commented:
wait....it look like it sees the loopback

Created on Tuesday, August 17, 2004 at 2:41:22 PM


Operating System Information:

Operating System Type:          Server
Operating System Version:       5.0.2195.Service Pack 4
Terminal Server Mode:           Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:        C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

        FARMCREDIT\Domain Admins
        \Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        \LOCAL
        FARMCREDIT\HR
        FARMCREDIT\Group Policy Creator Owners
        FARMCREDIT\students
        FARMCREDIT\Enterprise Admins
        FARMCREDIT\helpadmin
        FARMCREDIT\Schema Admins
        FARMCREDIT\helpdesk
        FARMCREDIT\developers
        FARMCREDIT\installers
        FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,CN=Computers,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        FARMCREDIT\MULBERRY$
        FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 2:25:
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
 
kbergeryAuthor Commented:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, August 17, 2004 at 3:28:20 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

      FARMCREDIT\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      FARMCREDIT\HR
      FARMCREDIT\Group Policy Creator Owners
      FARMCREDIT\students
      FARMCREDIT\Enterprise Admins
      FARMCREDIT\helpadmin
      FARMCREDIT\Schema Admins
      FARMCREDIT\helpdesk
      FARMCREDIT\developers
      FARMCREDIT\installers
      FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53:20 PM



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 3:18:21 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
jdeclueCommented:
there we go... now log in as a user through terminal services and run gpresults to see if you get policy, if not run secedit again for user policy

J
0
 
kbergeryAuthor Commented:
Hey,
No it didn't work!  I think this is using the default domain gp. not rdp( gp I created)
0
 
jdeclueCommented:
OK... it did get the loopback Group Policy on the Computer, that is important. When you ran GPRESULT, were you logged into the Server itself, or were you logged into a terminal server session with an account that has the RDP Group Policy applied?

According to the first couple of GPRESULTS, the loopback GP was not applied, but the last one had the loppback policy listed. We are getting close. ;)

J
0
 
kbergeryAuthor Commented:
Hi,
GPRESULT was done on the server
0
 
jdeclueCommented:
Try logging into with Terminal Server, use an account which should have the Group Policy applied and then run GPRESULT as that user.

J
0
 
kbergeryAuthor Commented:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 3:12:21 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=Test User2,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\tuser2

  The user is a member of the following security groups:



###############################################################

Failed to open key with 2


0
 
jdeclueCommented:
Ok login as a domain admin into the session and do the same thing, does that give you results?

J
0
 
kbergeryAuthor Commented:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 3:30:02 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

      FARMCREDIT\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      FARMCREDIT\HR
      FARMCREDIT\Group Policy Creator Owners
      FARMCREDIT\students
      FARMCREDIT\Enterprise Admins
      FARMCREDIT\helpadmin
      FARMCREDIT\Schema Admins
      FARMCREDIT\helpdesk
      FARMCREDIT\developers
      FARMCREDIT\installers
      FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53:20 PM



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:16:21 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
jdeclueCommented:
Sorry, The domain admin account must be in the OU with the all of the other users... know what I mean? So you need to create a new user, or grant the other you tried earlier domain admin rights.

J
0
 
jdeclueCommented:
And... Loopback isn't there anymore?

0
 
kbergeryAuthor Commented:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 4:04:22 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:59:59 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 4:04:11 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=Test User2,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\tuser2

  The user is a member of the following security groups:



###############################################################

Failed to open key with 2



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:59:59 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
jdeclueCommented:
Ok, So Loopback is working when the user logs in, but there is no User policy being applied, what do you think?

J
0
 
kbergeryAuthor Commented:
Hey,
what I did to make the loopback work was link it....(I'm sorry that was my error)

I don't know what to think...my brain is so fried!  I guess I'm going to read some more documentation maybe I missed something.  
0
 
jdeclueCommented:
Are you using Group Policy Management from the Windows 2003 Administrative Pack?

J
0
 
kbergeryAuthor Commented:
No...I'm using Windows 2000
0
 
jdeclueCommented:
OK... that is odd, the linking... my brain fried too, come back when you a ready to try more stuff!

J
0
 
kbergeryAuthor Commented:
I'll be back tomorrow
0
 
jdeclueCommented:
Could you please give us an update as to the question, and/or close it please. Thank You ;)

J
0
 
kbergeryAuthor Commented:
Hey,
I ended up calling Microsoft support yesterday, I don't know what I was thinking but I didn't link the "RDP" policy (gplink) then refresh the policy.  I just did it for the "loopback"!  Thank you very much for your help!!!!
0
 
jdeclueCommented:
No problem, I am glad it worked out. Take Care.

J
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 18
  • 17
Tackle projects and never again get stuck behind a technical roadblock.
Join Now