Solved

GPOs on Windows 2008

Posted on 2009-07-14
3
230 Views
Last Modified: 2012-05-07
i have a GPO in a 2008 domain that is used to manage a Windows 2008 terminal server.  None the user settings work (inlcuding the ones that say 'Windows 2000 and later' and the ones that say 'Windows 2003 and XP'.)  Are the ones that say Windows 2003 supposed to work on Windows 2008?  How can I verify which policy settings are being applied?  Is there an RSOP for Windows 2008 - can't find it..
0
Comment
Question by:ENTPF
  • 2
3 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24851766

>> manage a Windows 2008 terminal server.  None the user settings work

Based on this, I'd deduce you have your GPO configured with the policy linked to the OU in which your terminal server resides. You have then attempted to set policies under the 'User Configuration' section, but they are not applying. Is that correct?

If so, that is actually by design. If you link a policy to an OU with Computer objects, ONLY the 'Computer Configuration' section applies. Likewise, on an OU with User objects, only the 'User' section of the policy applies to the user objects.

To combat this, you need to enable 'Loopback Processing' in the Terminal Server policy. This overrides the default behaviour and causes the User Config settings to apply to any user logging into that computer.

See http://support.microsoft.com/kb/231287 for more details on implementing this.

As for the scope of the policies, most policies will apply to 'Windows 2003 and later' or 'Windows XP and later'. hey will therefore also be compatible with Vista/2008 machines. Some policies are XP/Server 2003 specific, and this should be logged as 'XP Only' or 'Server 2003 only'.

RSOP on Server 2008 is certainly available; open a Run box (Windows Key + R) or Start > Run and enter rsop.msc.

-Matt
0
 

Author Comment

by:ENTPF
ID: 24852502
I actually had"loopback processing set".  and i was wrong, not all policies are being blocked, just most..
the policy "prohibit access to the control panel"  works just fine. it is supported on "at least windows 2000".  these do not work:  "remove run menu from start menu"  (supported on "at least windows 2000).
and "Remove access to use all Windows Update features" (supported on "at least windows 2000).
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24873925

Which mode did you have Loopback Processing set to? The modes can get a little confusing, but in most simple deployments, you will want 'Merge' mode.

-Matt
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Destination host unreachable 12 67
Account Lockouts 25 147
RSOP Red "X" 7 26
MDT - Network Administrator Account being locked out on deployment 5 41
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now