We help IT Professionals succeed at work.

Group policy not working

mcrossland
mcrossland asked
on
Medium Priority
184 Views
Last Modified: 2010-04-13
I created an OU in AD and put my terminal server in it.
I then created a policy and selected the option to remove and disable the shut down command from the start menu.  
On the terminal server from a command prompt, I ran gpupdate
No errors in the event log.
I did this about 3 hours ago and I still have the shutdown button on the start menu.

Any clues?

Thanks,
Mike
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Yes; the "Remove shutdown" is a *user* configuration, it will only apply to *user* accounts in or below the OU to which the GPO is linked, not to computer accounts.
You need to apply this GPO to the OU with the user accounts ...
... well, assuming you don't actually want to do this because this would influence their desktop logons as well, you need to use the "Loopback" feature.
1. Create a new GPO in your Terminal Server OU, named, for example "Loopback"; check "Disable User Configuration Settings" in properties. Edit the GPO and enable: Computer Configuration - Administrative Templates - group policies - User group policy loopback processing mode. Set the mode to replace (or merge, whatever suits you better). Leave the default security settings.
2. Now you can create your additional GPO(s) for your users in this OU. If possible, check "Disable Computer Configuration Settings" in those. Important: Do *not* use the "Loopback" GPO to configure other settings. These GPOs will now only apply if the users logon to a terminal server session. Depending on your loopback mode setting, your regular user GPOs will still apply, but they will be overridden by the settings defined in your terminal server GPO.
Note that you do (or "may") *not* need to put the users in (or below) the TS OU. New GPOs in that OU will be applied to all users logging on using Terminal Services, even though those users are not in/below the TS OU.
To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not only TS): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you're pretty safe from surprises ...

Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
ODBA,
This rings a bell.
Last year I migrated an NT4 domain to a 2003 AD, exchange 2003, 2003 terminal server.
I really wanted to lock down the terminal server because users were constantly trashing the old nt4 terminal server.
I believe I used this article at that time http://support.microsoft.com/kb/278295/en-us
It worked out Great!  I didn't have to create a second policy as you stated.  I just used the loopback setting (replace) and then continued on with locking down user settings.  I've just taken that direction with this particular site and will see if I run into any issues with that.  Please take a look at the article that I posted and see if you see anything wrong with going that route.  

Thanks,
Mike
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
It's easier to keep track of what's happening if you have different GPOs for users and computers, and it's easier to control access with security group filtering if they're separate, too.
And having a dedicated Loopback GPO makes it immediately clear what's happening in that OU.

Author

Commented:
Good point.  I'll give that a shot.

Author

Commented:
oBda,
Your time to completely explain the solution is greatly appreciated.  
My issue is resolved.

Thank you,
Mike
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.