Solved

Group policy applies to Alice but not Bob, both in same group, policy applied to group

Posted on 2009-06-29
4
248 Views
Last Modified: 2013-11-25
I have a Windows 2003 Server onto which I have installed Active Directory and created a domain named "streetworks.lbwf.gov.uk". The server is the domain controller for the domain and the domain is used exclusively for this server. The server's purpose in life is to be a terminal server to host a single application. I have created a single user named "sw" which is shared by a number of real users for logging in, because the application they use on the server requires them to log in and I didn't want to have to create lots of identical users on the server.

The "sw" user belongs to a group named "Streetworks Users" which is configured as a local domain / security group. I have a single group policy named "Streetworks Terminal Services Users" which is applied to the streetworks.lbwf.gov.uk domain with the "Streetworks Users" group added under security filtering. The policy locks down the desktop heavily. This environment works perfectly and the group policy is applied.

I now need a second user, "swtest" so that I can grant that user access to a different program that logs into a test database. I want that user to behave identically to the "sw" user, except I want a different shortcut on the desktop (well, ultimately I want to do away with the desktop and start the program as the user logs on). I have added the "swtest" user to the "Streetworks Users" group, but when I log in as "swtest", inexplicably, I get a normal user desktop - in other words, the group policy is not being applied.

I have compared the "sw" and "swtest" users tab by tab, field by field. They are identical except for things like the name, and the Remote Desktop Profile path, which is "D:\Remote Desktop Profiles\swtest" for the "swtest" user, and "D:\Remote Desktop Profiles\sw" for the "sw" user. I have copied the profile from "sw" to "swtest" to ensure they are identical.

I have deleted and recreated this test user several times both manually and by copying the "sw" user. I've deleted it's profile and allowed a default profile to be created. I've tried putting "swtest" in a user group of it's own and attaching that user group to the group policy object. I've even tried duplicating the group policy object and applying it separately to the separate new user group. None of this helps. I've had three colleagues spend looking at this including one who is very knowledgeable about Active Directory and we're all stumped.

The only clue I have that might point to an underlying problem is this: when I take the "swtest" user out of the "Streetworks Users" group, I am unable to log on as "swtest" - I get an error message saying I haven't been granted permission to log on to this terminal server, and that I should add the user to the "Remote Desktop Users" group. Both "sw" and "swtest" users are explicitly added as members of the built-in "Remote Desktop Users" group, so I can't figure out why the "Streetworks Users" group has access to Remote Desktop or why the "swtest" user's explicitly granted rights don't work. It seems as though the two problems might be related, but it could equally be a red herring.

All I want to achieve is having the group policy apply to two different users - I don't really care how. Any help would be much appreciated.
0
Comment
Question by:wwarby
  • 3
4 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 500 total points
ID: 24735561
I am confused by the fact that you say that you have applied a group policy to a group - you can't do this - at least not directly. Group policies are applied to OUs (and domains and sites), NOT to groups. While you can filter policies based on security groups this is not good practice in normal circumstances.

You should create two OUs, put the actual user accounts in the different OUs and then link the policies to the OUs as required.

By the way - its the OU that the USER ACCOUNT is in that matters - it makes no difference which OU any groups that the user belongs to is in.
0
 
LVL 1

Author Comment

by:wwarby
ID: 24735874
KCTS,

Thanks for this - I actually set this up a while ago and forgot about exactly how it was all linked up. The group policy "Streetworks Terminal Services Users" is actually applied to the domain streetservices.lbwf.gov.uk (not streetworks.lbwf.gov.uk as I said in my original post) at the top level in Active Directory. When I lselect the domain in the Active Directory tree, I see that the "Streetworks Terminal Services Users" policy applies after the default domain policy.

My thinking is that since the group policy is applied at the domain level and both of my users members of the domain, I don't need to create separate OUs and apply the group policies to both since both users really should inherit the policy from the domain - however, I did try creating one OU for my "swtest" user and applying the policy at the OU level - it made no difference to the problem.

I am also still finding that being able to log in via terminal services at all is impingent on the user in question being a member of the "Streetworks Users" group - placing the user explicitly in the "Terminal Services Users" group doesn't cut it. I have no idea why this is, but I strongly suspect the problems are related.
0
 
LVL 1

Author Comment

by:wwarby
ID: 24787445
In the end I solved this problem, although I'm not entirely sure how I did it. It had something to do with file permissions and profiles but after trying lots of things, it somehow just worked. I didn't need OUs as the policies were applied at the domain level.
0
 
LVL 1

Author Closing Comment

by:wwarby
ID: 31597876
I tried to delete this question because I kind of solved it myself but I couldn't work out how to do it, so the sensible thing seems to be to award points taking the trouble to respond. Thanks :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

If you are using Scrum Framework or another agile process, a retrospective may be part of it. Does your team perform retrospectives? Are you getting value from your retrospectives? I see a common anti-pattern when people conduct a retrospective f…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now