Need help with Loopback Processing for Windows 2000 Terminal Server

I'm trying to configure what should be a typical situation: lock down a TS with very restrictive group policy but allow the same users to come into the office and log into their workstations under a looser policy.

I've followed MS KB 260370 ( and read other articles, etc, but it's not working like it's supposed to.

I'm hoping someone might be able to point out where I might be going wrong, what to look towards fixing, etc.

Windows 2000 domain controller, w2k TS server, wXP clients.

At this point, I have a OU container, "Terminal Svr". I have moved the TS computer, "2kTS" into it. I have linked my draconian "TS Users" group policy to the OU, and the Loopback option is enabled. The TS Users GPO has the 2kTS computer account added to the Security tab, with Read and Apply checked.

What have I missed?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From the command prompt type "gpresult". Does the GPO appear in the list of Computer Policies applied to this computer? If not, reboot or run "secedit /refreshpolicy machine_policy" from the command line.

Remove the 2kTS computer account from the security tab and replace it with the Authenticated Users group again. Does it apply now?
amohatAuthor Commented:
From an XP client, I ran gpresult.

No, the TS Users GPO was not applied (denied, security). As I expect, since I can see that, ie I have access to Run and Display properties, etc. That's the way it should be, right?

(btw, I have to use gpupdate since MS may have replaced secedit /refreshpolicy in SP2, which the clients all have. Gpupdate seems to work correctly, though.)

I removed 2kTS computer acocunt, as instructed, and set it to all Authenticated Users. Ran gpupdate. Sure enough, now the user is locked down both at the workstation and in a TS session. And gpresult shows this under Applied GPO's.

Does this help? The issue is of course to allow a different GPO is effect a user depending on how the user is logged in, local or TS.

All the documentation says I need to do what I've already done. (I have Brian Madden's book for 2003, not much help for this issue so far)
When you selected the Loopback processing, you should have had an option to merge Group Policies or Replace. Did you choose replace?
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

... also, do you have no override set on anything?
amohatAuthor Commented:
I left it on Replace.

No override is not set on either GPO. (I have 2: Default Domain Policy, which is completely untouched, and the TS Users)

Are you getting the same as me? That it seems that I did everything right but something funny is happening?

OK... now I'm confused... you only have 2 GPOs in your domain? And the Default Domain Policy is untouched? So where are your users getting the lockdown settings when they log into their normal workstations?

amohatAuthor Commented:
I haven't used GPO's to lock down the user's local workstations yet. There's a bit of politics involved with that to work through. The domain as it is now is very vanilla. Nevertheless, I will need to enforce two policies, one far more locked down than the other for TS sessions only.
I just want to make sure I've got everything straight:

You have 2 GPOs: 1) Default Domain Policy applied to the domain (with no changes from default), 2) TS Users applied to an OU called "Terminal Svr"
The only object in the Termainal Svr OU is the computer 2kTS which is your terminal server
The user objects are in some separate OU (not under the Terminal Svr OU)
The TS Users GPO is being applied to Authenticated Users and has Loopback enabled and set to Replace

So your AD structure is something like this:

|-----<Terminal Svr>
|                |
|                |--------2kTS
|            |
|            |------User1
|            |------User2
|            |------User3
amohatAuthor Commented:
Yes, except if I set everything as above, all users get the extra locked-down goodness of the TS Users GPO, wether they are logged into the terminal server or local workstation.

If I set Apply TS Users GPO to all Authenticated Users, then essentially everyone who logs into the domain gets the TS USers GPO applied, correct? That's what is happening.

I thought that the trick was to add only the computer account of the terminal server to the security tab of the TS USers GPO and set it to Read and Apply. Along with the Loopback Processing option enabled, of course. But this does not work for me. (the MS KB article has 6 simple steps!)

The TS Users GPO should only apply to the 2kTS computer since it is the only computer in the <Terminal Svr> OU. When a user logs in to a workstation (i.e. "Workstation1") the TS Users GPO should not apply since their user account is not in <Terminal Svr> and their computer account is not in <Terminal Svr>. Somehow, the TS Users GPO is being applied to the <Users> OU and not the <Terminal Svr> OU. Check to make sure it is only linked to the <Terminal Svr> OU.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amohatAuthor Commented:
Heh, it's amazingly simple when you check the right boxes! I always seem to have issues on things that are so simple no one else even stumbles over it.

Yes, I also had the same TS Users GPO linked in the site's Security tab, with Applied to Authenticated Users.

How could I have missed that? Shoddy troubleshooting technique, yes?

Thank you Victor for being so patient with me. Tell me it happens to you, too, so i won't feel so stupid.
It happens to the best of us. Glad we got it working.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.