Group policy not working

Posted on 2006-04-03
Last Modified: 2010-04-13
I created an OU in AD and put my terminal server in it.
I then created a policy and selected the option to remove and disable the shut down command from the start menu.  
On the terminal server from a command prompt, I ran gpupdate
No errors in the event log.
I did this about 3 hours ago and I still have the shutdown button on the start menu.

Any clues?

Question by:mcrossland
    LVL 82

    Accepted Solution

    Yes; the "Remove shutdown" is a *user* configuration, it will only apply to *user* accounts in or below the OU to which the GPO is linked, not to computer accounts.
    You need to apply this GPO to the OU with the user accounts ...
    ... well, assuming you don't actually want to do this because this would influence their desktop logons as well, you need to use the "Loopback" feature.
    1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). Leave the default security settings.
    2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
    Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
    To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

    Loopback Processing of Group Policy

    How to Apply Group Policy Objects to Terminal Services Servers
    LVL 10

    Author Comment

    This rings a bell.
    Last year I migrated an NT4 domain to a 2003 AD, exchange 2003, 2003 terminal server.
    I really wanted to lock down the terminal server because users were constantly trashing the old nt4 terminal server.
    I believe I used this article at that time
    It worked out Great!  I didn't have to create a second policy as you stated.  I just used the loopback setting (replace) and then continued on with locking down user settings.  I've just taken that direction with this particular site and will see if I run into any issues with that.  Please take a look at the article that I posted and see if you see anything wrong with going that route.  

    LVL 82

    Expert Comment

    It's easier to keep track of what's happening if you have different GPOs for users and computers, and it's easier to control access with security group filtering if they're separate, too.
    And having a dedicated Loopback GPO makes it immediately clear what's happening in that OU.

    LVL 10

    Author Comment

    Good point.  I'll give that a shot.
    LVL 10

    Author Comment

    Your time to completely explain the solution is greatly appreciated.  
    My issue is resolved.

    Thank you,

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now