Solved

Why can't I get group policy to work in a cluster???????????

Posted on 2004-08-16
35
193 Views
Last Modified: 2013-11-15
This is what I have done:
1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "deactivate userdefined configuration" (I'm not sure about the English name of that entry) in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - Activate Loopback mode for group policies (or similar; as I said, I don't use an English version, so check out the explanation tab if unsure). Set the mode to replace (or merge, whatever suits you better). You can leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "deactivate computer configuration" in those. Important: Do *not* use the "Loopback" GPO to configure other settings than the loopback feature! These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to *all* users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...
0
Comment
Question by:kbergery
  • 18
  • 17
35 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 11820278
Couple of questions first.

Your question is regarding a Cluster? You are running Terminal Services on the Cluster?

As far as GPO, you think everything is set up properly but it does not affect the users when loggin into Terminal Services?

What does happen, the user account recieves the GPO from their OU but do not change the GPO when they login to the Terminal Services?

There is no GPO applied?

Try to explain a bit more.

This is suppose to work. You create a single GPO (Computer Configuration) and set it to Loopback Enabled. Then you would select either Merge or Replace. After that is created you create a GPO in the same container (OU)
0
 

Author Comment

by:kbergery
ID: 11822047
Hey,
Thank you so very much for getting back to me....I need to have this done today.
OK....
It is a Veritas Cluster Config, Yes they login thru TS....what they see is everything you would as if you logged into the box.  For instance, I want to disable "shutdown" option but it's still on the start menu.  Therefore, I don't think it's applying and I can't figure out why for the life of me.  
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11822240
Ok on the OU that the Terminal Server is in, you have created a Computer Configuration GPO that has the Administrative Template for Loopback set too Merge or Replace?

J
0
 

Author Comment

by:kbergery
ID: 11822318
Yes...the following:
TS_Cluster = OU
Group Policy
Loopback - no override
RDP - no override

With in the OU I created a group for users in which the GP is applied to also Loquat and mulberry (servers in cluster)

The cluster name is "currant"  
I've tested loggin into TS using "currant" then I tried the individual boxes and still don't work.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11822341
When you set the Loopback policy to enable, you had a choice of Merge or Replace, which one did you choose?
0
 

Author Comment

by:kbergery
ID: 11822393
Replace
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823549
Go to the server and run gpresults from the command prompt. Please post the results here.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823559
sorry that is "gpresult" no s.

J
0
 

Author Comment

by:kbergery
ID: 11823868
Created on Tuesday, August 17, 2004 at 2:41:22 PM


Operating System Information:

Operating System Type:          Server
Operating System Version:       5.0.2195.Service Pack 4
Terminal Server Mode:           Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:        C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

        FARMCREDIT\Domain Admins
        \Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        \LOCAL
        FARMCREDIT\HR
        FARMCREDIT\Group Policy Creator Owners
        FARMCREDIT\students
        FARMCREDIT\Enterprise Admins
        FARMCREDIT\helpadmin
        FARMCREDIT\Schema Admins
        FARMCREDIT\helpdesk
        FARMCREDIT\developers
        FARMCREDIT\installers
        FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,CN=Computers,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        FARMCREDIT\MULBERRY$
        FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 2:25:
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
 

Author Comment

by:kbergery
ID: 11823910
Hey
Disregard that...I'll resend
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 11823918
Go to the command prompt and type "secedit /?", then follow the instructions to force computer and user policies on your machine. Only default policy has been applied.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11823920
ok
0
 

Author Comment

by:kbergery
ID: 11824206
Hey
I ran secedit /refreshpolicy machine_policy /enforce
and still the same results
0
 

Author Comment

by:kbergery
ID: 11824260
wait....it look like it sees the loopback

Created on Tuesday, August 17, 2004 at 2:41:22 PM


Operating System Information:

Operating System Type:          Server
Operating System Version:       5.0.2195.Service Pack 4
Terminal Server Mode:           Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:        C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

        FARMCREDIT\Domain Admins
        \Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        \LOCAL
        FARMCREDIT\HR
        FARMCREDIT\Group Policy Creator Owners
        FARMCREDIT\students
        FARMCREDIT\Enterprise Admins
        FARMCREDIT\helpadmin
        FARMCREDIT\Schema Admins
        FARMCREDIT\helpdesk
        FARMCREDIT\developers
        FARMCREDIT\installers
        FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,CN=Computers,DC=farmcredit-ffcb,DC=com

  Domain Name:          FARMCREDIT
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        FARMCREDIT\MULBERRY$
        FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 2:25:
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

        Local Group Policy
        Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
        Default Domain Policy
0
 

Author Comment

by:kbergery
ID: 11824328
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Tuesday, August 17, 2004 at 3:28:20 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

      FARMCREDIT\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      FARMCREDIT\HR
      FARMCREDIT\Group Policy Creator Owners
      FARMCREDIT\students
      FARMCREDIT\Enterprise Admins
      FARMCREDIT\helpadmin
      FARMCREDIT\Schema Admins
      FARMCREDIT\helpdesk
      FARMCREDIT\developers
      FARMCREDIT\installers
      FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53:20 PM



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Tuesday, August 17, 2004 at 3:18:21 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11824484
there we go... now log in as a user through terminal services and run gpresults to see if you get policy, if not run secedit again for user policy

J
0
 

Author Comment

by:kbergery
ID: 11824782
Hey,
No it didn't work!  I think this is using the default domain gp. not rdp( gp I created)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Expert Comment

by:jdeclue
ID: 11829454
OK... it did get the loopback Group Policy on the Computer, that is important. When you ran GPRESULT, were you logged into the Server itself, or were you logged into a terminal server session with an account that has the RDP Group Policy applied?

According to the first couple of GPRESULTS, the loopback GP was not applied, but the last one had the loppback policy listed. We are getting close. ;)

J
0
 

Author Comment

by:kbergery
ID: 11843035
Hi,
GPRESULT was done on the server
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11843224
Try logging into with Terminal Server, use an account which should have the Group Policy applied and then run GPRESULT as that user.

J
0
 

Author Comment

by:kbergery
ID: 11845153
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 3:12:21 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=Test User2,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\tuser2

  The user is a member of the following security groups:



###############################################################

Failed to open key with 2


0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11845233
Ok login as a domain admin into the session and do the same thing, does that give you results?

J
0
 

Author Comment

by:kbergery
ID: 11845303
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 3:30:02 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=ffcblcl,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\ffcblcl

  The user is a member of the following security groups:

      FARMCREDIT\Domain Admins
      \Everyone
      BUILTIN\Administrators
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      FARMCREDIT\HR
      FARMCREDIT\Group Policy Creator Owners
      FARMCREDIT\students
      FARMCREDIT\Enterprise Admins
      FARMCREDIT\helpadmin
      FARMCREDIT\Schema Admins
      FARMCREDIT\helpdesk
      FARMCREDIT\developers
      FARMCREDIT\installers
      FARMCREDIT\Domain Users


###############################################################

Last time Group Policy was applied: Friday, December 05, 2003 at 2:53:20 PM



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:16:21 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11845344
Sorry, The domain admin account must be in the OU with the all of the other users... know what I mean? So you need to create a new user, or grant the other you tried earlier domain admin rights.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11845363
And... Loopback isn't there anymore?

0
 

Author Comment

by:kbergery
ID: 11845702
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 4:04:22 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:59:59 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 19, 2004 at 4:04:11 PM


Operating System Information:

Operating System Type:            Server
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Application Server

###############################################################

  User Group Policy results for:

  CN=Test User2,CN=Users,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:      C:\Documents and Settings\tuser2

  The user is a member of the following security groups:



###############################################################

Failed to open key with 2



###############################################################

  Computer Group Policy results for:

  CN=MULBERRY,OU=TS_Cluster,DC=farmcredit-ffcb,DC=com

  Domain Name:            FARMCREDIT
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      FARMCREDIT\MULBERRY$
      FARMCREDIT\Domain Computers

###############################################################

Last time Group Policy was applied: Thursday, August 19, 2004 at 3:59:59 PM
Group Policy was applied from: GOOSEBERRY.farmcredit-ffcb.com


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
      Loopback


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
      Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
      Default Domain Policy
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11845923
Ok, So Loopback is working when the user logs in, but there is no User policy being applied, what do you think?

J
0
 

Author Comment

by:kbergery
ID: 11846133
Hey,
what I did to make the loopback work was link it....(I'm sorry that was my error)

I don't know what to think...my brain is so fried!  I guess I'm going to read some more documentation maybe I missed something.  
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846231
Are you using Group Policy Management from the Windows 2003 Administrative Pack?

J
0
 

Author Comment

by:kbergery
ID: 11846262
No...I'm using Windows 2000
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11846297
OK... that is odd, the linking... my brain fried too, come back when you a ready to try more stuff!

J
0
 

Author Comment

by:kbergery
ID: 11846347
I'll be back tomorrow
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11911897
Could you please give us an update as to the question, and/or close it please. Thank You ;)

J
0
 

Author Comment

by:kbergery
ID: 11913267
Hey,
I ended up calling Microsoft support yesterday, I don't know what I was thinking but I didn't link the "RDP" policy (gplink) then refresh the policy.  I just did it for the "loopback"!  Thank you very much for your help!!!!
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11913699
No problem, I am glad it worked out. Take Care.

J
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Replication has always been one of those technologies that people run scared from. The main reason is usually cost. When you think of replication, your mind drifts to solutions that replicate from one disk frame to another using block level technolo…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now