Terminal Server GPO not being applied

I am trying to implement a GPO that will only affect users in the remote operators group who are connected to our terminal server.  This way I can really screw down security and the desktop but still allow the administrator full access with no restrictions.

Here is what I have done so far.

* in AD I've created a Terminal Server OU and moved the terminal server into it.
* I've created a GPO called Terminal Server Policy and enabled loopback processing.  
* I added remote operators to the GPO's security filtering.
* I setup all the various things in the GPO I'd like to see effect these remote users.

When I log in as a remote user, however, none of the settings have been applied.
I check gpresult and it doesn't even show the GPO as being applied.

What am I overlooking?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin HaysIT AnalystCommented:
Have you refreshed the gpo on the terminal server?  

gpupdate /force

hindsightAuthor Commented:
I've used gpupdate /force and have even rebooted in frustration just to make sure.

It seems like everything should be right but it's just not going through.
If I add authorized users to the security filtering then do gpupdate and gpresult I can see the policy being applied.  I don't, however, want it to apply to everyone - just remote users.  Once I remove all the authorized users and tell it to use only remote operators I get nothing.

Logged in at the console as administrator and issuing gpresult I'm seeing this:

Applied Group Policy Objects
    Default Domain Policy
    Local Group Policy

The following GPOs were not applied because they were filtered out
    Terminal Server Policy
        Filtering:  Not Applied (Unknown Reason)
Have you done a gpudate /force on the domain controller and then on the terminal server itself.  If you have multiple AD's then perform a gpupdate on each AD, because it depends where the terminal server gets it policy from.  You can open a command prompt on the terminal server and type 'set' to get the logon server it connects to.  Reboot the terminal server so it is assured you receive the update.

If all else fails try changing the local terminal server GPO to reflect the same as the domain controller (AD).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Kevin HaysIT AnalystCommented:
Ok, you have created a security group called "ts_remote_users" or something similar and then added that group to the local "remote desktop users" group on the terminal server?  Removed "authenticated users" from the security filtering and replaced it with "ts_remote_users" or whatever security group you created?

To add the group to the local remote power user group issue the following at the command prompt on the TS.

net localgroup "remote desktop users" domain\group /add


hindsightAuthor Commented:
Okay I seem to have resolved the issue myself.
I'm still not sure why this works 100% but it is.

I added the actual machine name (lets just call it SERVER) to the security filter of the GPO and now it is applying itself.  It's also only now applying itself to the remote users.  It must be adding the computer to the policy, processing, and failing when it finds admin not part of the remote users.  It is, however, addint the computer to the policy and processing the user group once an actual remote users logs in.

I was under the impression that by linking the GPO to the OU that contains the computer that this was already assumed by the policy.
Kevin HaysIT AnalystCommented:
I still think you have to have the name of the computer listed or "domain computers" listed if it's all the computers such as in default domain policy.


hindsightAuthor Commented:
I'll split the value - thanks for the effort!
Kevin HaysIT AnalystCommented:
Thanks.  No problem.  Have a good one.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.