soresma
asked on
Group policies disappear on SBS domain terminal server
I have a question concerning policies on a SBS 2003 domain with one separate Terminal Server (Windows server Standard 2003)
I have entered the TS in a separate OU, and applied a group policy to that OU. Policy is set for the users in security group RDPusers.
When I created the policy everything worked fine, shut down button is removed, access to run command is prohibited, ...
After a day however, it all seems to be undone. The group policy is still on the OU and the policy modeling wizard gives the right results.
Restarting of the servers is no solution.
Is there anyone who can help me, because I've been wrestling with this problem for weeks now.
I have entered the TS in a separate OU, and applied a group policy to that OU. Policy is set for the users in security group RDPusers.
When I created the policy everything worked fine, shut down button is removed, access to run command is prohibited, ...
After a day however, it all seems to be undone. The group policy is still on the OU and the policy modeling wizard gives the right results.
Restarting of the servers is no solution.
Is there anyone who can help me, because I've been wrestling with this problem for weeks now.
What policy is set above this policy?
For example you have default domain policy,default domain controller policy, Then you have custom group policies
Go to the clients machine and from the command prompt type gpreult > C:\gpresult.txt and open this text file it will tell you what group policies were applied.
ASKER
Thenone, thanks for your quick response.
Hereby some extra info concerning the configuration
It seems half of the policies is ignored on the terminal.
I noticed that the SBS server is still on SP1, while the TS server is on SP2. Maybe this could be the issue. But there are several problems reported for SP2 on SBS, that I don't risc to install it on remote.
I wil do some homework on SP2 on SBS 2003, and try to update the server on thursday.
This is the result of gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 23-10-07 at 10:25:22
RSOP data for XXXXYYYY\test on XXXXTS : Logging Mode
-------------------------- ---------- ---------- ---------- -----
OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\XXXXsbs\TSProfiles\test
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,OU=SBSUsers,OU=Use rs,OU=MyBu siness,DC= XXXXYYYY,D C=local
Last time Group Policy was applied: 23-10-07 at 10:22:02
Group Policy was applied from: XXXXsbs.XXXXYYYY.local
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXYYYY
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Lockout Policy
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
Small Business Server Client Computer
Filtering: Not Applied (Empty)
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
BUILTIN\Users
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
RDPusers
SBS Internet Users
CERTSVC_DCOM_ACCESS
The only policies displayed in this list are the policies linked to the domain. The policies linked to any lower OU aren't displayed in the log.
The log even shows Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
This is a default generated policy by SBS, and is not empty nor edited.
Hereby some extra info concerning the configuration
It seems half of the policies is ignored on the terminal.
I noticed that the SBS server is still on SP1, while the TS server is on SP2. Maybe this could be the issue. But there are several problems reported for SP2 on SBS, that I don't risc to install it on remote.
I wil do some homework on SP2 on SBS 2003, and try to update the server on thursday.
This is the result of gpresult
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 23-10-07 at 10:25:22
RSOP data for XXXXYYYY\test on XXXXTS : Logging Mode
--------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile: \\XXXXsbs\TSProfiles\test
Local Profile: C:\Documents and Settings\test
Connected over a slow link?: No
USER SETTINGS
--------------
CN=test,OU=SBSUsers,OU=Use
Last time Group Policy was applied: 23-10-07 at 10:22:02
Group Policy was applied from: XXXXsbs.XXXXYYYY.local
Group Policy slow link threshold: 500 kbps
Domain Name: XXXXYYYY
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
--------------------------
Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2
Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2
Small Business Server Lockout Policy
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
Small Business Server Client Computer
Filtering: Not Applied (Empty)
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
BUILTIN\Users
Remote Desktop Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
RDPusers
SBS Internet Users
CERTSVC_DCOM_ACCESS
The only policies displayed in this list are the policies linked to the domain. The policies linked to any lower OU aren't displayed in the log.
The log even shows Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)
This is a default generated policy by SBS, and is not empty nor edited.
ASKER
On the client computers in the domain, the gpresult is as generated below.
I'm sorry but this report is in Dutch because of the Localized Windows version. But the overall layout seems to bee exactly the same. I put the translation on the titels between (brackets), for easy referencing
Hulpprogramma voor resultaat van groepsbeleid van het Microsoft (R) Windows
(R) XP-besturingssysteem, versie 2.0
Copyright (C) Microsoft Corp. 1981-2001
Gemaakt op 23/10/2007 om 11:19:03
RVB-resultaten voor XXXXYYYY\d08323 op CI2007002 : logboekmodus
-------------------------- ---------- ---------- ---------- ---------- --
Type besturingssysteem: Microsoft Windows XP Professional
Configuratie van het besturingssysteem: Werkstation
Versie van het besturingssysteem: 5.1.2600
Domeinnaam: XXXXYYYY
Type domein:Windows 2000
Naam van de site:Default-First-Site-Na me
Zwervend profiel: \\XXXXsbs\profiles\d08323
Lokaal prodiel: C:\Documents and Settings\d08323
Verbonden via een langzame verbinding?: Nee
COMPUTERINSTELLINGEN (Computer Settings)
---------------------
CN=CI2007002,OU=SBSCompute rs,OU=Comp uters,OU=M yBusiness, DC=XXXXYYY Y,DC=local
Laatste maal dat het groepsbeleid is toegepast: 23/10/2007 at 10:10:00
Het groepsbeleid is toegepast vanuit:XXXXsbs.XXXXYYYY.lo cal
Drempelwaarde van groepsbeleid voor langzame verbindingen: 500 kbps
Toegepaste groepsbeleidsobjecten (Applied Group Policy Objects)
-------------------------- -------
Small Business Server Domain Password Policy
Small Business Server Windows Firewall
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Default Domain Policy
De volgende groepsbeleidsobejecten worden niet toegepast omdat ze zijn
gefilterd. (The following GPOs were not applied because they were filtered out)
-------------------------- ---------- ---------- ---------- ---------- ---------- ----------
Small Business Server Internet Connection Firewall
Filteren: Geweigerd (WMI-filter)
WMI-filter: PreSP2
Lokaal groepsbeleid
Filteren: Niet toegepast (leeg)
De computer is deel van de volgende beveiligingsgroepen: (
-------------------------- ---------- ---------- ----------
BUILTIN\Administrators
Iedereen
Gebruikers
NETWERK
Geverifieerde gebruikers
CI2007002$
Domain Computers
CERTSVC_DCOM_ACCESS
GEBRUIKERSINSTELLINGEN
-----------------------
CN=Jaimie Vandenbroeck,OU=SBSUsers,O U=Users,OU =MyBusines s,DC=XXXXY YYY,DC=loc al
Laatste maal dat het groepsbeleid is toegepast: 23/10/2007 at 10:06:07
Het groepsbeleid is toegepast vanuit:XXXXsbs.XXXXYYYY.lo cal
Drempelwaarde van groepsbeleid voor langzame verbindingen: 500 kbps
Toegepaste groepsbeleidsobjecten
-------------------------- -------
Default Domain Policy
De volgende groepsbeleidsobejecten worden niet toegepast omdat ze zijn
gefilterd.
-------------------------- ---------- ---------- ---------- ---------- ---------- ----------
Small Business Server Internet Connection Firewall
Filteren: Geweigerd (WMI-filter)
WMI-filter: PreSP2
Small Business Server Domain Password Policy
Filteren: Niet toegepast (leeg)
Small Business Server Windows Firewall
Filteren: Niet toegepast (leeg)
Small Business Server Lockout Policy
Filteren: Uitgeschakeld (GPO)
Lokaal groepsbeleid
Filteren: Niet toegepast (leeg)
Small Business Server Client Computer
Filteren: Niet toegepast (leeg)
Small Business Server Remote Assistance Policy
Filteren: Uitgeschakeld (GPO)
De gebruiker is deel van de volgende beveiligingsgroepen: (The user is a part of the following security groups)
-------------------------- ---------- ---------- ---------- -
Domain Users
Iedereen
Gebruikers
INTERACTIEF
Geverifieerde gebruikers
LOKAAL
XXXX
RDPusers
CERTSVC_DCOM_ACCESS
I'm sorry but this report is in Dutch because of the Localized Windows version. But the overall layout seems to bee exactly the same. I put the translation on the titels between (brackets), for easy referencing
Hulpprogramma voor resultaat van groepsbeleid van het Microsoft (R) Windows
(R) XP-besturingssysteem, versie 2.0
Copyright (C) Microsoft Corp. 1981-2001
Gemaakt op 23/10/2007 om 11:19:03
RVB-resultaten voor XXXXYYYY\d08323 op CI2007002 : logboekmodus
--------------------------
Type besturingssysteem: Microsoft Windows XP Professional
Configuratie van het besturingssysteem: Werkstation
Versie van het besturingssysteem: 5.1.2600
Domeinnaam: XXXXYYYY
Type domein:Windows 2000
Naam van de site:Default-First-Site-Na
Zwervend profiel: \\XXXXsbs\profiles\d08323
Lokaal prodiel: C:\Documents and Settings\d08323
Verbonden via een langzame verbinding?: Nee
COMPUTERINSTELLINGEN (Computer Settings)
---------------------
CN=CI2007002,OU=SBSCompute
Laatste maal dat het groepsbeleid is toegepast: 23/10/2007 at 10:10:00
Het groepsbeleid is toegepast vanuit:XXXXsbs.XXXXYYYY.lo
Drempelwaarde van groepsbeleid voor langzame verbindingen: 500 kbps
Toegepaste groepsbeleidsobjecten (Applied Group Policy Objects)
--------------------------
Small Business Server Domain Password Policy
Small Business Server Windows Firewall
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Default Domain Policy
De volgende groepsbeleidsobejecten worden niet toegepast omdat ze zijn
gefilterd. (The following GPOs were not applied because they were filtered out)
--------------------------
Small Business Server Internet Connection Firewall
Filteren: Geweigerd (WMI-filter)
WMI-filter: PreSP2
Lokaal groepsbeleid
Filteren: Niet toegepast (leeg)
De computer is deel van de volgende beveiligingsgroepen: (
--------------------------
BUILTIN\Administrators
Iedereen
Gebruikers
NETWERK
Geverifieerde gebruikers
CI2007002$
Domain Computers
CERTSVC_DCOM_ACCESS
GEBRUIKERSINSTELLINGEN
-----------------------
CN=Jaimie Vandenbroeck,OU=SBSUsers,O
Laatste maal dat het groepsbeleid is toegepast: 23/10/2007 at 10:06:07
Het groepsbeleid is toegepast vanuit:XXXXsbs.XXXXYYYY.lo
Drempelwaarde van groepsbeleid voor langzame verbindingen: 500 kbps
Toegepaste groepsbeleidsobjecten
--------------------------
Default Domain Policy
De volgende groepsbeleidsobejecten worden niet toegepast omdat ze zijn
gefilterd.
--------------------------
Small Business Server Internet Connection Firewall
Filteren: Geweigerd (WMI-filter)
WMI-filter: PreSP2
Small Business Server Domain Password Policy
Filteren: Niet toegepast (leeg)
Small Business Server Windows Firewall
Filteren: Niet toegepast (leeg)
Small Business Server Lockout Policy
Filteren: Uitgeschakeld (GPO)
Lokaal groepsbeleid
Filteren: Niet toegepast (leeg)
Small Business Server Client Computer
Filteren: Niet toegepast (leeg)
Small Business Server Remote Assistance Policy
Filteren: Uitgeschakeld (GPO)
De gebruiker is deel van de volgende beveiligingsgroepen: (The user is a part of the following security groups)
--------------------------
Domain Users
Iedereen
Gebruikers
INTERACTIEF
Geverifieerde gebruikers
LOKAAL
XXXX
RDPusers
CERTSVC_DCOM_ACCESS
ASKER
Problem seems to be solved.
After installing SP2 on the SBS machine, everithing seems to work fine. Policy settings are implemented right.
thenone since you where the only one who reacted to this question, you can have the points.
After installing SP2 on the SBS machine, everithing seems to work fine. Policy settings are implemented right.
thenone since you where the only one who reacted to this question, you can have the points.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.