hindsight
asked on
Terminal Server GPO not being applied
I am trying to implement a GPO that will only affect users in the remote operators group who are connected to our terminal server. This way I can really screw down security and the desktop but still allow the administrator full access with no restrictions.
Here is what I have done so far.
* in AD I've created a Terminal Server OU and moved the terminal server into it.
* I've created a GPO called Terminal Server Policy and enabled loopback processing.
* I added remote operators to the GPO's security filtering.
* I setup all the various things in the GPO I'd like to see effect these remote users.
When I log in as a remote user, however, none of the settings have been applied.
I check gpresult and it doesn't even show the GPO as being applied.
What am I overlooking?
Here is what I have done so far.
* in AD I've created a Terminal Server OU and moved the terminal server into it.
* I've created a GPO called Terminal Server Policy and enabled loopback processing.
* I added remote operators to the GPO's security filtering.
* I setup all the various things in the GPO I'd like to see effect these remote users.
When I log in as a remote user, however, none of the settings have been applied.
I check gpresult and it doesn't even show the GPO as being applied.
What am I overlooking?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay I seem to have resolved the issue myself.
I'm still not sure why this works 100% but it is.
I added the actual machine name (lets just call it SERVER) to the security filter of the GPO and now it is applying itself. It's also only now applying itself to the remote users. It must be adding the computer to the policy, processing, and failing when it finds admin not part of the remote users. It is, however, addint the computer to the policy and processing the user group once an actual remote users logs in.
I was under the impression that by linking the GPO to the OU that contains the computer that this was already assumed by the policy.
I'm still not sure why this works 100% but it is.
I added the actual machine name (lets just call it SERVER) to the security filter of the GPO and now it is applying itself. It's also only now applying itself to the remote users. It must be adding the computer to the policy, processing, and failing when it finds admin not part of the remote users. It is, however, addint the computer to the policy and processing the user group once an actual remote users logs in.
I was under the impression that by linking the GPO to the OU that contains the computer that this was already assumed by the policy.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll split the value - thanks for the effort!
Thanks. No problem. Have a good one.
Kevin
Kevin
ASKER
I've used gpupdate /force and have even rebooted in frustration just to make sure.
It seems like everything should be right but it's just not going through.
If I add authorized users to the security filtering then do gpupdate and gpresult I can see the policy being applied. I don't, however, want it to apply to everyone - just remote users. Once I remove all the authorized users and tell it to use only remote operators I get nothing.
Logged in at the console as administrator and issuing gpresult I'm seeing this:
Applied Group Policy Objects
--------------------------
Default Domain Policy
Local Group Policy
The following GPOs were not applied because they were filtered out
--------------------------
Terminal Server Policy
Filtering: Not Applied (Unknown Reason)