2008 R2 Remote Desktop Services - Problem with Folder Redirection Group Policy
Background - We have a 2008 R2 Remote Desktop Services environment where users are remoting into (2) RDS Session Hosts load balanced by a Connection Broker. The users have a locked down desktop so that they only have (3) desktop shortcuts where (2) are links to Intranet sites and the 3rd is a shortcut to Log-off.
The need is to be able to make changes to the links and have all users see the changes without having to touch each user separately. Microsoft recommended folder redirection for the desktop which we implemented the Group Policy and it worked.
The problem we ran into was no other Group Policy was being applied or even showing up as not being applied.
Per Microsoft's reccomendation so that only certain users had this GP apply we put the Session Hosts in their own OU and applied the Group Policy to that OU. We created a Security Group and added the users to whom the GP would apply. We added the Security Group to the GP and removed everyone else.
The GP attached to the Session Hosts OU applied successfully but the GP's linked to the Users' OU would no apply or even show up under gpresult.
I need to have all GP's apply. Thoughts?
The need is to be able to make changes to the links and have all users see the changes without having to touch each user separately. Microsoft recommended folder redirection for the desktop which we implemented the Group Policy and it worked.
The problem we ran into was no other Group Policy was being applied or even showing up as not being applied.
Per Microsoft's reccomendation so that only certain users had this GP apply we put the Session Hosts in their own OU and applied the Group Policy to that OU. We created a Security Group and added the users to whom the GP would apply. We added the Security Group to the GP and removed everyone else.
The GP attached to the Session Hosts OU applied successfully but the GP's linked to the Users' OU would no apply or even show up under gpresult.
I need to have all GP's apply. Thoughts?
lamaslany
To confirm: Have you enabled group policy loopback for the GPO?
"We added the Security Group to the GP and removed everyone else"
Can you please explain - are you using secirity filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a mamber of?
While you can use security groups for filtering, in normal circumstances which OU a secutity group is in has n effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of secutity groups in an OU has no effect on GPOs.
Can you please explain - are you using secirity filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a mamber of?
While you can use security groups for filtering, in normal circumstances which OU a secutity group is in has n effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of secutity groups in an OU has no effect on GPOs.
Opps some typos there - let me try again
"We added the Security Group to the GP and removed everyone else"
Can you please explain - are you using security filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a member of?
While you can use security groups for filtering, in normal circumstances which OU a security group is in has no effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of security groups in an OU has no effect on GPOs.
"We added the Security Group to the GP and removed everyone else"
Can you please explain - are you using security filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a member of?
While you can use security groups for filtering, in normal circumstances which OU a security group is in has no effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of security groups in an OU has no effect on GPOs.
ASKER
lamaslany,
Yes, Group Policy Loopback is enabled.
KCTS,
I removed the Authenticated Users from the Security Filtering and added the Security Group.
Yes, Group Policy Loopback is enabled.
KCTS,
I removed the Authenticated Users from the Security Filtering and added the Security Group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cláudio,
I have your guide and thank you very much. I have followed the same steps that are provided in your guide but as per my question my issue is that other policies are not applying when the users remote in.
I have your guide and thank you very much. I have followed the same steps that are provided in your guide but as per my question my issue is that other policies are not applying when the users remote in.
Well the thing is if you followed it step-by-step you should NOT have authenticated users as a group that was having the policy applied. That is what is confusing me.
If you missed that step chances are you may have missed other ones.
Did you follow it 100%, step-by-step?
Cláudio Rodrigues
Citrix CTP
If you missed that step chances are you may have missed other ones.
Did you follow it 100%, step-by-step?
Cláudio Rodrigues
Citrix CTP
ASKER
Per what I said above, I do NOT have authenticated users as a group. I only have the group to whom the policy should apply.
The client just asked that instead of using folder redirection to have the shortcuts deleted and readded through through the usrlogon script from a shared folder. I will try that and update.
The client just asked that instead of using folder redirection to have the shortcuts deleted and readded through through the usrlogon script from a shared folder. I will try that and update.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The USRLOGON script worked so I will stick with that. Thanks!