Solved

Group Policy Not propagating/applying to the other server (terminal server)

Posted on 2008-06-19
6
812 Views
Last Modified: 2013-11-21
i created a GPO (with some user settings applied to it) and linked it to an OU for one reason that only these will be affected by this policy. When i tested it i found out that the policy was only applied to server1(dc-primary server) not to the other server (server2 (dc, terminal server)). Have been working on this since late this morning and am stuck. i've gone to this " http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_23176363.html" but did not solve it (well the situation is different but some comments was. and i already performed them. like loopback etc.) I ran the GP result and it showed that on the user configuration the policy is being applied. Any help on this issue is greatly appreciated.
0
Comment
Question by:amcurso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 6

Expert Comment

by:DaMaestro
ID: 21833735
So in order to insure i have a correct statement, you currently have a policy that defines user settings that is linked to an OU where these two DCs are, and for the terminal server which is a domain controller is not processing the policy and you are attempting to use loopback?

What were the results of GPresult and RSOP.msc?
0
 

Author Comment

by:amcurso
ID: 21833849
I cant get the rsop result due to the temporary removal of the policy. The OU where the policy is linked to contains only user account not the two dc. i used the loopback since i couldnt find anything that might help. Again - There are two servers both of them are DC, 1 of them is also a terminal server which i am trying to get the results from when the users log in to these server. for sure i am not doing everything correct since when i login to the terminal server using the certain user account, i dont see the policy being applied. On the other hand when login to the other server (primary DC) the policy get applied. :-)
The last time i ran GP Result - i saw that the policy is on the applied policy (user configuration). i hope i am getting to the point where you can understand me / what am trying to do. thanks.
0
 
LVL 6

Expert Comment

by:DaMaestro
ID: 21834362
1) Are you using the GPMC console with SP1? If so have you been able to due a GP Model for the accounts? It can help show differences if you cannot do a gpresult or rsop.msc
2) Are you using any security groups on the policy or is it defaulted to Authenticated users?
3) Are you sure the user is within the OU structure where the policy is? (Basic I know, but I have to ask)
4) Does any other user have policy issues on that box?
5) Are you using the loopback because of certain settings on the terminal server itself that are not ideal for use in the policy? If not, in this scenario loopback is not neccescary. If all the settings you want are in the policy AND that policy is linked where the user account objects are, and the settings are under user configuration then you would not use loopback. Only if there are terminal server specific settings you want applied that would not normally apply to other systems the user account is on.
6) Although you stated they were user polcies, did u define anything in the computer configuration section?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:amcurso
ID: 21834440
Very thorough. thanks.
1. yes, am using gpmc w/ sp1. I did run a GP model and i saw there the applied policies and one of them was the policy i created.
2. Default Authenticated users.
3. Yes. :-)
4. Not 100% sure but so far this have been the only issue.
5. I dont have to use this for the reason you have presented.
6. None except the loopback.
0
 
LVL 6

Accepted Solution

by:
DaMaestro earned 500 total points
ID: 21834935
So here is what I might do.

1a) turn off loopback in the user policy, also verify that the computer polcies affecting the terminal server do not have the setting enabled.
1b) check the application eventlog for policy processing errors
2) check the last tab of the policy, see if the user affected is in any of the groups (other than autheintcated users) and see if the "Deny" apply policy is checked for any of them.
3) temporarily remove "restrictions" to Group Policy settings in both the user and computer section of an applicable policy for both the computer and user (the gp model would help determine which policy would be edited) to verify that none of those are playing a part. For example, after a domain transition i prevented the use of group policy modeling, unfortunately this resulted in the GPO state registry entry not being updated, which prevented Push Prniter Connections from deploying printers by policy.
4) create a test user with a test policy in a different ou and add settings to restrict the UI and see if they apply when using that user account on the affected server.


0
 
LVL 6

Expert Comment

by:DaMaestro
ID: 21834972
correction on 3, I enabled "Turn off Resultant Set of Policy Logging", I had to disable the setting for Push Printer Connections to work
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question