emauch
asked on
Terminal Server OU Policy not working
I setup a new OU and moved my Terminal Server to it and created a group policy for the OU. When i log in I don't see any of my policies being applied to my session. Any ideas what I might be missing? I enabled User Group Policy loopback processing mode also.
Not only that. The right way to setup the group policy for TSs is:
1. Create the GP at the OU level where the TSs are (usually some OU called Terminal Servers).
2. REMOVE 'Authenticated Users' from the list of groups the GP applies to.
3. DENY the GP to apply to administrators.
4. ADD the group you want the GP applied (normally we create a group for that, usually named 'TSUsers').
5. ADD the terminal servers COMPUTER accounts to the list of groups.
Make sure for steps 4 and 5 you check 'Apply Group Policy'.
Also on the loopback settings set it to replace.
Hope this helps.
Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
1. Create the GP at the OU level where the TSs are (usually some OU called Terminal Servers).
2. REMOVE 'Authenticated Users' from the list of groups the GP applies to.
3. DENY the GP to apply to administrators.
4. ADD the group you want the GP applied (normally we create a group for that, usually named 'TSUsers').
5. ADD the terminal servers COMPUTER accounts to the list of groups.
Make sure for steps 4 and 5 you check 'Apply Group Policy'.
Also on the loopback settings set it to replace.
Hope this helps.
Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
ASKER
I've made all the changes list above but it still isn't applying. I found the following error in the event log:
Windows cannot access the file gpt.ini for GPO cn={SID}.....The file must be present at the location \\domain\sysvol\domain\pol icies\{SID }. the system cannot find the path specified. Group Policy processing aborted.
Any other ideas?
Windows cannot access the file gpt.ini for GPO cn={SID}.....The file must be present at the location \\domain\sysvol\domain\pol
Any other ideas?
ASKER
I think I'm getting closer. I browse to \\domain\sysvol\domain and I don't see the policy from the terminal server but I do see it from the domain controllers. Any further ideas.
ASKER
I found we were experiencing replication issues so I manually copied the policy to the DC the Terminal Server was looking for the policy and that fixed the issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check here for details:
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?kbid=260370
Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en