Group Policy Loopback Terminal Server
Please help!!!! Need to apply a GPO asap.
I have a user OU "data mgmt" which has a GPO to setup standard desktops that the users log on to. I also have a Terminal Server OU. My TS is located in that directory which has a GPO that needs to apply a very restrictive user settings GPO. So my users log into their desktop and have standard profile settings, but when they RDP to the Term Server, they use the same username and password. I need to make sure that the user settings on the TS GPO are applied. For example, one setting on the data mgmt policy is to allow the user to shut down, however on the terminal server, I do not want that.
I came across a setting on the TS OU GPO:
User Group Policy loopback processing mode
Setting Path:
Computer Configuration/Administrati
Here is the info in the policy information:
Applies alternate user settings when a user logs on to a computer affected by this setting.
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.
To use this setting, select one of the following modes from the Mode box:
-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.
Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains.
If you read the 'NOTE' shows it works on Win 2000 domains. However, I am using Windows 2003 domain and the user is also in the Win 2003 domain.
Any ideas??
I have a user OU "data mgmt" which has a GPO to setup standard desktops that the users log on to. I also have a Terminal Server OU. My TS is located in that directory which has a GPO that needs to apply a very restrictive user settings GPO. So my users log into their desktop and have standard profile settings, but when they RDP to the Term Server, they use the same username and password. I need to make sure that the user settings on the TS GPO are applied. For example, one setting on the data mgmt policy is to allow the user to shut down, however on the terminal server, I do not want that.
I came across a setting on the TS OU GPO:
User Group Policy loopback processing mode
Setting Path:
Computer Configuration/Administrati
Here is the info in the policy information:
Applies alternate user settings when a user logs on to a computer affected by this setting.
This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.
To use this setting, select one of the following modes from the Mode box:
-- "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
-- "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.
Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains.
If you read the 'NOTE' shows it works on Win 2000 domains. However, I am using Windows 2003 domain and the user is also in the Win 2003 domain.
Any ideas??
MSE-dwells
That text should say "both are using Windows 2000 *or later*". You should find it works as expected on Windows 2003.
ASKER
right now, on the DataMGMT ou there is a standard policy for all users. I am using a test account in that OU.
on the Terminal Server OU, I have a dmtest gpo that only applies to the test user.
There is another policy on the Terminal Server OU that I blocked the test user from receiving, but the 'authenticated users' and the 'everyone group' is applying hte policy. Will the test user receive these policies even though the denied 'apply gpo' to test user.
on the Terminal Server OU, I have a dmtest gpo that only applies to the test user.
There is another policy on the Terminal Server OU that I blocked the test user from receiving, but the 'authenticated users' and the 'everyone group' is applying hte policy. Will the test user receive these policies even though the denied 'apply gpo' to test user.
No, "deny"s take precendence over allows in almost all cases ... based on what you've told me, the 'test' user will not receive the policy.
ASKER
I didn't think so either.
What am I missing? That loopback policy needs to be applied to the terminal server OU, correct?
What am I missing? That loopback policy needs to be applied to the terminal server OU, correct?
Loopback policy is a per computer setting that AFFECTS the policies applied to users that logon there, as such, it should be linked to the OU containing the computer account ... not the user.
ASKER
that is how I have it setup. The TS ou has the loopback policy applied, not the user OU (data mgmt)
If you run RSOP.MSC as an Admin when logged on to the TS box, do you see the policy containing the loopback setting?
ASKER
Just trying it now.
ASKER
Using RSoP, whether I use Merge or Replace, it's not coming out right. When using Replace, shouldn't the entire User Config be replaced?
Nod ... but I was asking if you even see GPO containing the loopback config ...
ASKER
Yes, I see the loopback setting in the config.
Do you know how this policy setting works? Which policies are applied? It doesn't just take the computer configuration, right?
From everything I read on it, it leads me to believe that the user config will be replaced based on the cmputer you're logging into.
Do you know how this policy setting works? Which policies are applied? It doesn't just take the computer configuration, right?
From everything I read on it, it leads me to believe that the user config will be replaced based on the cmputer you're logging into.
ASKER
Sorry, my mistake, I do not see the loopback in the comp config when using the RSoP.
I'd suggest taking a step backwards and removing any custom ACLing you've configured, bounce the box and check the RSOP state again. In addition, veryify that replication is working.
ASKER
Being that this server is live, I cannot remove any ACLs. If I did, all users would be affected by the policies I've created. I have 1 user that can read both policies. The other group cannot.
The term server is not a DC. Replication seems to be working between DCs (I've made policy changes that show on other domain controllers).
The term server is not a DC. Replication seems to be working between DCs (I've made policy changes that show on other domain controllers).
As always, it's difficult to troubleshoot in production environments where we've got an oddity for only some of the users ... are you familiar with userenv logging? If so, I'd suggest you enable that, see below if interested -
Use the Registry Editor to add or to modify the following registry entry:
Subkey: HKEY_LOCAL_MACHINE\Softwar
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The default value is NORMAL|LOGFILE (0x00010001).
Note: To disable logging, select NONE (0x00000000).
You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using a bitwise OR statement (expressed in hex as -)
0x00010000 OR 0x00000002 = 0x00010002
Note: If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.
The log file is written to the %Systemroot%\Debug\UserMod
The 300 KB limit cannot be modified.
--------- Interpreting the output -----------
Reading from left to right, this log shows a process code (for example, cc.500), the time it was processed (note the date is not displayed), the process name, and a short statement of the error. The Userenv log displays Group Policy process failures and warnings.
Use the Registry Editor to add or to modify the following registry entry:
Subkey: HKEY_LOCAL_MACHINE\Softwar
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The default value is NORMAL|LOGFILE (0x00010001).
Note: To disable logging, select NONE (0x00000000).
You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using a bitwise OR statement (expressed in hex as -)
0x00010000 OR 0x00000002 = 0x00010002
Note: If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.
The log file is written to the %Systemroot%\Debug\UserMod
The 300 KB limit cannot be modified.
--------- Interpreting the output -----------
Reading from left to right, this log shows a process code (for example, cc.500), the time it was processed (note the date is not displayed), the process name, and a short statement of the error. The Userenv log displays Group Policy process failures and warnings.
ASKER
Last night I spent some time reading about this. My configurations (according to microsoft articles) are correct. I've used these articles to help :
http://grouppolicy.editme.com/Loopback
http://support.microsoft.com/kb/231287
There were a few more I found on this site also. Some of the solutions show that the terminal server needs to be restarted after the GPO LOOPBACK is set.
http://grouppolicy.editme.com/Loopback
http://support.microsoft.com/kb/231287
There were a few more I found on this site also. Some of the solutions show that the terminal server needs to be restarted after the GPO LOOPBACK is set.
re: the restart -- not that I recollect but the memory's becoming less trustworthy as the grey hair increases :0( ... sounds worth a try though if feasible.
ASKER
I've restarted the terminal server. However, the policy isn't working. When I run RSoP, I see where the policies are being pulled, however, none are being pulled from my Term Server GPO.
This sounds like a permission or replication fault; perhaps you could try cloning the failing policy (using GPMC), re-ACLing the new one and creating a test OU structure in an effort to repro in a more flexible scenario (unless of course you have something more suitable to fault-find in).
ASKER
I will need a testing environment. This server is in production. Maybe I can recreate these issues in a testing domain.
I would just create additional OUs and throw a computer in there, but as of right now, I am unable to do this.
I would just create additional OUs and throw a computer in there, but as of right now, I am unable to do this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will give that a shot and reply back later on