Group Policy Loopback Processing Not applying to users on a Terminal Server

I have 2 servers at two different companies setup as terminal servers. they are both Windows Server 2003 Latest Service Packs and updates. and both 32bit. both seem to be showing the same symptoms so it might be somehting im missing on the configuration side.

i have recently setup loopback policies on these servers to overwrite their Client machine GPO with the terminal server policy on that machine as obviously i want much tighter permissions on the TS.

i have created an OU called Terminal Servers and have put the Terminal server computer into that OU. i have blocked inheritance for that OU.

in the Security filtering options it says "The settings in this GPO can only apply to the following groups, users and computers:"

Authenticated Users
Navision$(Archsupp\navision$)

i have then gone to the delegation tab selected advanced and set a deny permission for (archsupp\administrators) to stop the administrator account from having the loop back polcy apply to it. (also the users im using to test the servers are not members of the administrators group)

authenticated users has the Read and apply group policy permission set to allow as does Navisions$ (archsupp\navision$) (the name of the terminal server)

all other groups or names dont have anything ticked for apply or deny group policy i.e. system enterprise admin and so on.

Inside the Group Policy Object, Computer Configuration -> administrative templates -> system -> Group policy, the "User Group Policy loopback processing mode" is set to Enabled with Replace

i believe those are the only settings i have changes, are there any steps im missing? if not is there a good way to check group policy replication from the DC to the terminal server?

Thanks
datafocusAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
oBdAConnect With a Mentor Commented:
datafocus,
let's start this from scratch.
Move the TS back into the default "Computers" container. Check if your current Terminal Server OU is empty, then delete it.
Delete your current terminal server GPOs as well.
Then create a new OU "Terminal Servers".
Create a new GPO "Loopback", link it to the Terminal Servers OU; enable the loopback processing in your favorite mode.
Close the GP editor.
No additional changes in GPO processing, no changing of the GPO's default security settings, please, and no "shortcuts" by using your existing GPOs or OU.
On the terminal server, run
gpupdate /target:computer /force
and
gpresult /scope computer
At some point, you should see the "Loopback" GPO applying; if it doesn't, you'll have some AD troubleshooting to do, most likely DNS (see links below).
When the GPO shows up, reboot the terminal server.
Now create an additional GPO for your user settings, and link it to the Terminal Servers OU as well; take a simple setting that's easily identifiable so that you can test it with your admin account. When this is working, change the security filtering and restrict away.

10 DNS Errors That Will Kill Your Network
http://redmondmag.com/features/article.asp?EditorialsID=413

Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
0
 
oBdACommented:
Do yourself a favor: never combine Computer and User policies in the same GPO. It's possible, but it makes administration more difficult.
Create one GPO linked to the TS OUs in which only Loopback Processing (and maybe other *computer* configuration settings) is enabled. You can leave the default "Authenticated Users" in the filtering tab, a domain computer is an authenticated user as well. Reboot the TS.
Then link an additional GPO to the TS OU and configure your user restrictions in this GPO; Set Deny for "Apply policy" to the local Administrators group, or change the filtering to a dedicated group.
0
 
datafocusAuthor Commented:
hi mate,im a little unsure of what you mean? it maybe that i understand the loopback policy setting incorrectly
i assume for a policy to apply using loopback, the GPO with the settings in that are to overwrite other settings must have the loopback setting enabled. or else it wont apply?
but how i understand your response is,
i need to greate a GPO with just the loopback processing policy set to enable (and maybe other computer related policies)
then i need to create another policy that only applies to the Terminal server OU with all the user settings i need.
then when a user logs into the terminal server the loopback policy applies and says all other policies applied to this ou / computer are to be looped back and written over any other policy?
i had assumed for a policy to overwrite using loopback it needed to have that setting enabled within it, even if it only contains user policy changes.
i hope that makes sense. could you reply and clairify what im saying is correct? thanks
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
oBdACommented:
Loopback processing is one single setting that can be enabled for a server; if it is enabled, *user* policies linked to the OU where the server is in will be processed as if the user object were in that OU as well. Depending on the loopback mode, the normal policies for the user will still be processed ("Merge"; policies in the Loopback OU will have higher priority in case of a conflict), or will be ignored, so that only the loopback polices apply ("Replace").
So, yes, what you've described is what you need to do (don't forget to reboot the terminal server after you've enabled the Loopback policy).
Loopback processing of Group Policy
http://support.microsoft.com/kb/231287
0
 
Toni UranjekConsultant/TrainerCommented:
I'm not sure what exactly is not applied and for which group of users?

Replace Mode - In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

"Loopback processing of Group Policy"
http://support.microsoft.com/default.aspx/kb/231287

0
 
datafocusAuthor Commented:
OK oBdA, i have done as requested ive removed all computer policies from the GPO that applies to the Terminalserver OU. I have then created a new GPO that only sets the loopback policy to Replace , but it seems still none of my user policies are being applied to the users when logging on to the terminal server.
what are the next steps?
toniur, there are many groups of users all in different OU's. the terminal servers role is a disaster recovery server at an external site, that is joined to the domain and is connected to the domain via VPN.
the idea is if the normal work day site was to go down in a large scale disaster. all users would be able to go home or go to another office with internet and log remotely on to the terminal server with their own username and password. this would then apply the restrictions to them as they log in which would allow them to continue working (the DC is replicated over the VPN to another server on standbye)
i know the link is definately working and data is passing across with no issues.
i also have a set of servers at a different company, these servers are on the same lan they are using their second server as a remote desktop server to run applications from home. this is having the same issues as the one ive been discussing above except it doesnt have a VPN connection etc to the DC as its sat right next to it.
ive just thought ive not rebooted the terminal server since making the changes, so i will give that a try now
0
 
Toni UranjekConsultant/TrainerCommented:
My question is: Are you trying to propagate user configuration settings to users on terminal server where "replace" loopback policy is in effect? You won't be able to. Check KB article. Replace mode means that user settings are not processed. Try using "merge" mode.
0
 
datafocusAuthor Commented:
yes i want all the current user settings to be replaced with new user settings that im defining specifically for the terminal server in the terminal server GPO. i dont want any of the old client side settings to be transfered
are you saying that if i use replace all the new user settings in the terminal server GPO will not be applied also? ill give the link a read now and ill try using merge mode.
thanks
0
 
datafocusAuthor Commented:
is there a way on the terminal server i can see if the GPO is even being applied to the computer? as i now have a loopback policy only GPO can i see if this is now applying.
0
 
oBdACommented:
You can use either the GPMC, or run
gpresult /scope computer
in a command window, or run
rsop.msc
in a command window or from the run menu.
0
 
datafocusAuthor Commented:
after selecting merge, gpupdating /force'ing, rebooting and looking a gpresult and rsop.msc i cant see anything that looks like the policy that im trying to apply and still no joy unfortunately.
hmmmm.....
0
 
Toni UranjekConsultant/TrainerCommented:
You modified user configuration settings in GPO which is linked to an OU with terminal server computer accounts? This won't work, because you still need user accounts in this OU.

I belive you misunderstand how loopback policies work, because you are trying to create a special GPO that would apply different user settings depending on which computer user log on to. Unfortunately, policies don't work this way. I will be suprised and will learn something new if anyone comes up with solution.
0
 
datafocusAuthor Commented:
i thought that was the whole point about loop back polcies, so users can log onto a computer and recieve different settings than if they were to log onto their own PC's the domain applys the settings based on computer instead of OU. this allows any user to log onto a public pc and get different access rights to things liek control panel etc, than if they were to log onto their own pc in their office which they might have local admin rights and weak restrictions.
for instance i used to have this working at a third company. the company used an internal proxy filter for the internet so to go online they would have to connect to the proxy. i dissalowed any changes to the proxy settings page so users could not bypass the settings as this is how the MD wanted it setup, everything through the filter.
the problem was with all the laptops in the company. when the users logged on to the laptops, the laptops were forced to use the proxy this meant if they were external to the comapny on site or at home, the internet would not work.
so instead of making the proxy available externally i setup loop back policies on the laptops. the loopback policy was a replace policy with no proxy settings.
any user in the domain could log onto the laptop and would not have to go through the proxy so internet access worked fine. if they logged into any other computer on the domain the normal policy applied and they recieved the proxy settings.
i also setup two or three reasearch machines and a boardroom machine with no proxy policy using loopback so that these machines could also be used without using the proxy.
i want to basically do the same with the terminal server
0
 
Toni UranjekConsultant/TrainerCommented:
When using loopback policies computer configuration settings are applied last, that's about it. With replace mode, user settings are ignored with merge mode in case of conflict between user and computer configuration settings, compter settings win.

And to make things more complicated, proxy settings have special behaviour. For IE6 they are defined for user, for IE7 they are defined for machine and this can also be disabled.

If only proxy settings are in question and IE7 is installed on Terminal server, you should be able to configure these settings for all users on terminal settings easily. Configure proxy settings in computer configuration and enable loopback with replace mode.
0
 
Toni UranjekConsultant/TrainerCommented:
@ oBdA: "Now create an additional GPO for your user settings, and link it to the Terminal Servers OU as well; take a simple setting that's easily identifiable so that you can test it with your admin account. When this is working, change the security filtering and restrict away."

What am I missing here? This will not work unless administrator account is in TS OU.
0
 
oBdACommented:
toniur,
the purpose of the loopback processing is exactly to apply user policies depending on the computer the user is logging on to.
I don't know where you found your description of the loopback policy, but it's wrong.
Please check the 231287 article I linked above:
"[...] Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit:
* Merge Mode
In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
* Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used."

Loopback mode has nothing at all to do with conflicts between computer and user configuration; there are no real "conflicts" between these two. Computer configuration policies write to HKLM, user configuration policies write to HKCU. Any "conflicts" are resolved by the *application* that queries the keys, the policy engine does nothing of that sort. There are examples of policies where, if configurable both in computer and user configuration, the user policy "wins", and there are examples where the computer policy "wins".
Look at loopback processing as a flag: if it is enabled (whatever mode it is in), then user policies linked to the computer location will be processed, even though the user object is not in the computer location.
0
 
datafocusAuthor Commented:
thats what i thought oBda ok well its home time for me so im going to pick this up again next week, but ill do the steps you have listed above and start from scratch, if i cant get it working again then ill follow you links and see where i could be getting errors
cheers
0
 
datafocusAuthor Commented:
ok so ive re-set everything up as requested, but it doesnt seem to have made any difference to what is going on, still no policies applied.
ive run a few of the tools suggested but im not 100% sure what im looking at, can anyone help me with the next steps?
thanks
0
 
datafocusAuthor Commented:
i have just been looking through the Event logs again and found this message in the log

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date:  21/02/2009
Time:  14:19:03
User:  NT AUTHORITY\SYSTEM
Computer: DRTERMSERVE
Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

trying to figure out how to resolve it now any ideas, thanks
0
 
datafocusAuthor Commented:
this one also appears

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date:  03/02/2009
Time:  14:26:24
User:  NT AUTHORITY\SYSTEM
Computer: DRTERMSERVE
Description:
Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 along with this

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date:  25/01/2009
Time:  16:45:15
User:  NT AUTHORITY\SYSTEM
Computer: DRTERMSERVE
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 and this

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1006
Date:  25/01/2009
Time:  16:45:15
User:  NT AUTHORITY\SYSTEM
Computer: DRTERMSERVE
Description:
Windows cannot bind to OTB.local domain. (Local Error). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
0
 
oBdACommented:
Then that's the main source of your problems.
Start here:

Group Policies may not apply because of network ICMP policies
http://support.microsoft.com/kb/816045

Event ID 1054 is logged in the Application log in Windows Server 2003 or in Windows XP Professional
http://support.microsoft.com/kb/324174

10 DNS Errors That Will Kill Your Network
http://redmondmag.com/features/article.asp?EditorialsID=413

Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036

Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
0
 
datafocusAuthor Commented:
ok ive lookede through most of that but none of it seemed to point to my issue.
however ive noticed that DNS Service is installed on this termserver does that sound right?
if i open the DNS MMC, i can se DRTermserver as dns server, i can then connect to Server2 (which is the DC and DNS / DHCP Server)
then if i compare the two they are completely differetn there are no forward or reverse look up zones on the DRTermserv but on server2 these are populaqted with things like _msdcs.otb.local etc
finally ive found another event log that says the following

Event Type: Information
Event Source: DNS
Event Category: None
Event ID: 708
Date:  23/02/2009
Time:  12:42:49
User:  N/A
Computer: DRTERMSERVE
Description:
The DNS server did not detect any zones of either primary or secondary type during initialization. It will not be authoritative for any zones, and it will run as a caching-only server until a zone is loaded manually or by Active Directory replication. For more information, see the online Help.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

should i be uninstalling DNS Maybe?
0
 
oBdACommented:
Yes, uninstall DNS from the terminal server, and make sure it's only using the DC as DNS server in the TCP/IP settings.
0
 
datafocusAuthor Commented:
done just rebooting now...
0
 
datafocusAuthor Commented:
ok i have rebooted the system after uninstalling dns and running GPUpdate /force. unfortunately still no luck with applying the policies, but i cant see any more errors in the event log now going to keep checking to see if any pop up.
0
 
datafocusAuthor Commented:
just an update to say this is still not resolved and will hopefully get back to looking at it this week or next
0
 
datafocusAuthor Commented:
Hi mate starting completely from scratch and following your instructions sorted it out, i think i had applied the "dont apply policy" permission for administrator to the loop back policy which might have prevented the loop back applying to the server. if it wasnt that then i dont know what it was, either way, it seems to be working now thanks!
0
 
datafocusAuthor Commented:
after following the steps outlined above again and started completedly afresh the issue was fixed, i believe i may have applied the "do not apply policy" permission to the loopback policy for the administrator.
this probably meant that the loop back polciy wouldnt apply to the server and thus no other users.
once i had recreated the policies and allowed the loop back policy to apply to the administrator account and then denied the second settings policy to apply to the administrator account it worked like a charm
users now have a nice restricted policy no matter what their normal gpo settings when they log onto the terminal server, except if they are the administrator. to clarify to toniur the users are not in the same ou, they are in many ou's in different trees, above or next to the loopback ou but the settings apply fine.
Thanks for your help everyone
0
All Courses

From novice to tech pro — start learning today.