Group policy not working

I created an OU in AD and put my terminal server in it.
I then created a policy and selected the option to remove and disable the shut down command from the start menu.  
On the terminal server from a command prompt, I ran gpupdate
No errors in the event log.
I did this about 3 hours ago and I still have the shutdown button on the start menu.

Any clues?

Thanks,
Mike
LVL 10
mcrosslandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
Yes; the "Remove shutdown" is a *user* configuration, it will only apply to *user* accounts in or below the OU to which the GPO is linked, not to computer accounts.
You need to apply this GPO to the OU with the user accounts ...
... well, assuming you don't actually want to do this because this would influence their desktop logons as well, you need to use the "Loopback" feature.
1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). Leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcrosslandAuthor Commented:
ODBA,
This rings a bell.
Last year I migrated an NT4 domain to a 2003 AD, exchange 2003, 2003 terminal server.
I really wanted to lock down the terminal server because users were constantly trashing the old nt4 terminal server.
I believe I used this article at that time http://support.microsoft.com/kb/278295/en-us
It worked out Great!  I didn't have to create a second policy as you stated.  I just used the loopback setting (replace) and then continued on with locking down user settings.  I've just taken that direction with this particular site and will see if I run into any issues with that.  Please take a look at the article that I posted and see if you see anything wrong with going that route.  

Thanks,
Mike
0
oBdACommented:
It's easier to keep track of what's happening if you have different GPOs for users and computers, and it's easier to control access with security group filtering if they're separate, too.
And having a dedicated Loopback GPO makes it immediately clear what's happening in that OU.

0
mcrosslandAuthor Commented:
Good point.  I'll give that a shot.
0
mcrosslandAuthor Commented:
oBda,
Your time to completely explain the solution is greatly appreciated.  
My issue is resolved.

Thank you,
Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.