• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 238
  • Last Modified:

GPOs on Windows 2008

i have a GPO in a 2008 domain that is used to manage a Windows 2008 terminal server.  None the user settings work (inlcuding the ones that say 'Windows 2000 and later' and the ones that say 'Windows 2003 and XP'.)  Are the ones that say Windows 2003 supposed to work on Windows 2008?  How can I verify which policy settings are being applied?  Is there an RSOP for Windows 2008 - can't find it..
  • 2
1 Solution

>> manage a Windows 2008 terminal server.  None the user settings work

Based on this, I'd deduce you have your GPO configured with the policy linked to the OU in which your terminal server resides. You have then attempted to set policies under the 'User Configuration' section, but they are not applying. Is that correct?

If so, that is actually by design. If you link a policy to an OU with Computer objects, ONLY the 'Computer Configuration' section applies. Likewise, on an OU with User objects, only the 'User' section of the policy applies to the user objects.

To combat this, you need to enable 'Loopback Processing' in the Terminal Server policy. This overrides the default behaviour and causes the User Config settings to apply to any user logging into that computer.

See http://support.microsoft.com/kb/231287 for more details on implementing this.

As for the scope of the policies, most policies will apply to 'Windows 2003 and later' or 'Windows XP and later'. hey will therefore also be compatible with Vista/2008 machines. Some policies are XP/Server 2003 specific, and this should be logged as 'XP Only' or 'Server 2003 only'.

RSOP on Server 2008 is certainly available; open a Run box (Windows Key + R) or Start > Run and enter rsop.msc.

ENTPFAuthor Commented:
I actually had"loopback processing set".  and i was wrong, not all policies are being blocked, just most..
the policy "prohibit access to the control panel"  works just fine. it is supported on "at least windows 2000".  these do not work:  "remove run menu from start menu"  (supported on "at least windows 2000).
and "Remove access to use all Windows Update features" (supported on "at least windows 2000).

Which mode did you have Loopback Processing set to? The modes can get a little confusing, but in most simple deployments, you will want 'Merge' mode.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now