[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 789
  • Last Modified:

Group Policy Loopback Terminal Server

Please help!!!!  Need to apply a GPO asap.
I have a user OU "data mgmt" which has a GPO to setup standard desktops that the users log on to.  I also have a Terminal Server OU.  My TS is located in that directory which has a GPO that needs to apply a very restrictive user settings GPO.  So my users log into their desktop and have standard profile settings, but when they RDP to the Term Server, they use the same username and password.  I need to make sure that the user settings on the TS GPO are applied.  For example, one setting on the data mgmt policy is to allow the user to shut down, however on the terminal server, I do not want that.

I came across a setting on the TS OU GPO:
User Group Policy loopback processing mode
Setting Path:
Computer Configuration/Administrative Templates/System/Group Policy

Here is the info in the policy information:
Applies alternate user settings when a user logs on to a computer affected by this setting.

This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.

By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

To use this setting, select one of the following modes from the Mode box:

-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.

-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.

If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.

Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains.



If you read the 'NOTE' shows it works on Win 2000 domains.  However, I am using Windows 2003 domain and the user is also in the Win 2003 domain.

Any ideas??

0
jsctechy
Asked:
jsctechy
  • 12
  • 10
1 Solution
 
MSE-dwellsCommented:
That text should say "both are using Windows 2000 *or later*".  You should find it works as expected on Windows 2003.
0
 
jsctechyAuthor Commented:
right now, on the DataMGMT ou there is a standard policy for all users.  I am using a test account in that OU.
on the Terminal Server OU, I have a dmtest gpo that only applies to the test user.
There is another policy on the Terminal Server OU that I blocked the test user from receiving, but the 'authenticated users' and the 'everyone group' is applying hte policy.  Will the test user receive these policies even though the denied 'apply gpo' to test user.
0
 
MSE-dwellsCommented:
No, "deny"s take precendence over allows in almost all cases ... based on what you've told me, the 'test' user will not receive the policy.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jsctechyAuthor Commented:
I didn't think so either.
What am I missing?  That loopback policy needs to be applied to the terminal server OU, correct?
0
 
MSE-dwellsCommented:
Loopback policy is a per computer setting that AFFECTS the policies applied to users that logon there, as such, it should be linked to the OU containing the computer account ... not the user.
0
 
jsctechyAuthor Commented:
that is how I have it setup.  The TS ou has the loopback policy applied, not the user OU (data mgmt)
0
 
MSE-dwellsCommented:
If you run RSOP.MSC as an Admin when logged on to the TS box, do you see the policy containing the loopback setting?
0
 
jsctechyAuthor Commented:
Just trying it now.
0
 
jsctechyAuthor Commented:
Using RSoP, whether I use Merge or Replace, it's not coming out right.  When using Replace, shouldn't the entire User Config be replaced?
0
 
MSE-dwellsCommented:
Nod ... but I was asking if you even see GPO containing the loopback config ...
0
 
jsctechyAuthor Commented:
Yes, I see the loopback setting in the config.

Do you know how this policy setting works?  Which policies are applied?  It doesn't just take the computer configuration, right?
From everything I read on it, it leads me to believe that the user config will be replaced based on the cmputer you're logging into.
0
 
jsctechyAuthor Commented:
Sorry, my mistake, I do not see the loopback in the comp config when using the RSoP.
0
 
MSE-dwellsCommented:
I'd suggest taking a step backwards and removing any custom ACLing you've configured, bounce the box and check the RSOP state again.  In addition, veryify that replication is working.
0
 
jsctechyAuthor Commented:
Being that this server is live, I cannot remove any ACLs.  If I did, all users would be affected by the policies I've created.  I have 1 user that can read both policies.  The other group cannot.  
The term server is not a DC.  Replication seems to be working between DCs (I've made policy changes that show on other domain controllers).
0
 
MSE-dwellsCommented:
As always, it's difficult to troubleshoot in production environments where we've got an oddity for only some of the users ... are you familiar with userenv logging?  If so, I'd suggest you enable that, see below if interested -

Use the Registry Editor to add or to modify the following registry entry:
 
Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)

UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000

The default value is NORMAL|LOGFILE (0x00010001).


Note: To disable logging, select NONE (0x00000000).

You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using a bitwise OR statement (expressed in hex as -)

0x00010000 OR 0x00000002 = 0x00010002

Note: If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created.  This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

The 300 KB limit cannot be modified.

--------- Interpreting the output -----------
Reading from left to right, this log shows a process code (for example, cc.500), the time it was processed (note the date is not displayed), the process name, and a short statement of the error. The Userenv log displays Group Policy process failures and warnings.
0
 
jsctechyAuthor Commented:
Last night I spent some time reading about this.  My configurations (according to microsoft articles) are correct.  I've used these articles to help :
http://grouppolicy.editme.com/Loopback 
http://support.microsoft.com/kb/231287
There were a few more I found on this site also.  Some of the solutions show that the terminal server needs to be restarted after the GPO LOOPBACK is set.
0
 
MSE-dwellsCommented:
re: the restart -- not that I recollect but the memory's becoming less trustworthy as the grey hair increases :0( ... sounds worth a try though if feasible.
0
 
jsctechyAuthor Commented:
I've restarted the terminal server.  However, the policy isn't working.  When I run RSoP, I see where the policies are being pulled, however, none are being pulled from my Term Server GPO.  
0
 
MSE-dwellsCommented:
This sounds like a permission or replication fault; perhaps you could try cloning the failing policy (using GPMC), re-ACLing the new one and creating a test OU structure in an effort to repro in a more flexible scenario (unless of course you have something more suitable to fault-find in).
0
 
jsctechyAuthor Commented:
I will need a testing environment.  This server is in production.  Maybe I can recreate these issues in a testing domain.
I would just create additional OUs and throw a computer in there, but as of right now, I am unable to do this.
0
 
MSE-dwellsCommented:
Nod, without further testing/results, I'm at a loss I'm afraid (I would reiterate that enabling USERENV logging yields an immense amount of information and may furnish an answer/cause).
0
 
jsctechyAuthor Commented:
I will give that a shot and reply back later on
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now