Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Terminal Server GPO not being applied

Posted on 2007-03-19
8
Medium Priority
?
1,264 Views
Last Modified: 2013-12-04
I am trying to implement a GPO that will only affect users in the remote operators group who are connected to our terminal server.  This way I can really screw down security and the desktop but still allow the administrator full access with no restrictions.

Here is what I have done so far.

* in AD I've created a Terminal Server OU and moved the terminal server into it.
* I've created a GPO called Terminal Server Policy and enabled loopback processing.  
* I added remote operators to the GPO's security filtering.
* I setup all the various things in the GPO I'd like to see effect these remote users.

When I log in as a remote user, however, none of the settings have been applied.
I check gpresult and it doesn't even show the GPO as being applied.

What am I overlooking?
0
Comment
Question by:hindsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 250 total points
ID: 18750236
Have you refreshed the gpo on the terminal server?  

gpupdate /force

0
 
LVL 1

Author Comment

by:hindsight
ID: 18750272
Yes.
I've used gpupdate /force and have even rebooted in frustration just to make sure.

It seems like everything should be right but it's just not going through.
If I add authorized users to the security filtering then do gpupdate and gpresult I can see the policy being applied.  I don't, however, want it to apply to everyone - just remote users.  Once I remove all the authorized users and tell it to use only remote operators I get nothing.

Logged in at the console as administrator and issuing gpresult I'm seeing this:

Applied Group Policy Objects
-----------------------------
    Default Domain Policy
    Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Terminal Server Policy
        Filtering:  Not Applied (Unknown Reason)
0
 
LVL 3

Accepted Solution

by:
antonaf earned 250 total points
ID: 18750378
Have you done a gpudate /force on the domain controller and then on the terminal server itself.  If you have multiple AD's then perform a gpupdate on each AD, because it depends where the terminal server gets it policy from.  You can open a command prompt on the terminal server and type 'set' to get the logon server it connects to.  Reboot the terminal server so it is assured you receive the update.

If all else fails try changing the local terminal server GPO to reflect the same as the domain controller (AD).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 250 total points
ID: 18750439
Ok, you have created a security group called "ts_remote_users" or something similar and then added that group to the local "remote desktop users" group on the terminal server?  Removed "authenticated users" from the security filtering and replaced it with "ts_remote_users" or whatever security group you created?

To add the group to the local remote power user group issue the following at the command prompt on the TS.

net localgroup "remote desktop users" domain\group /add

Kevin


0
 
LVL 1

Author Comment

by:hindsight
ID: 18750507
Okay I seem to have resolved the issue myself.
I'm still not sure why this works 100% but it is.

I added the actual machine name (lets just call it SERVER) to the security filter of the GPO and now it is applying itself.  It's also only now applying itself to the remote users.  It must be adding the computer to the policy, processing, and failing when it finds admin not part of the remote users.  It is, however, addint the computer to the policy and processing the user group once an actual remote users logs in.

I was under the impression that by linking the GPO to the OU that contains the computer that this was already assumed by the policy.
0
 
LVL 16

Assisted Solution

by:Kevin Hays
Kevin Hays earned 250 total points
ID: 18750546
I still think you have to have the name of the computer listed or "domain computers" listed if it's all the computers such as in default domain policy.

Cheers.

Kevin
0
 
LVL 1

Author Comment

by:hindsight
ID: 18750625
I'll split the value - thanks for the effort!
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 18750870
Thanks.  No problem.  Have a good one.

Kevin
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question