2008 R2 Remote Desktop Services - Problem with Folder Redirection Group Policy

advserver
advserver used Ask the Experts™
on
Background - We have a 2008 R2 Remote Desktop Services environment where users are remoting into (2) RDS Session Hosts load balanced by a Connection Broker.  The users have a locked down desktop so that they only have (3) desktop shortcuts where (2) are links to Intranet sites and the 3rd is a shortcut to Log-off.

The need is to be able to make changes to the links and have all users see the changes without having to touch each user separately.  Microsoft recommended folder redirection for the desktop which we implemented the Group Policy and it worked.

The problem we ran into was no other Group Policy was being applied or even showing up as not being applied.

Per Microsoft's reccomendation so that only certain users had this GP apply we put the Session Hosts in their own OU and applied the Group Policy to that OU.  We created a Security Group and added the users to whom the GP would apply.  We added the Security Group to the GP and removed everyone else.  

The GP attached to the Session Hosts OU applied successfully but the GP's linked to the Users' OU would no apply or even show up under gpresult.

I need to have all GP's apply.  Thoughts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
To confirm:  Have you enabled group policy loopback for the GPO?
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
"We added the Security Group to the GP and removed everyone else"

Can you please explain - are you using secirity filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a mamber of?

While you can use security groups for filtering, in normal circumstances which OU a secutity group is in has n effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of secutity groups in an OU has no effect on GPOs.
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
Opps some typos there - let me try again

"We added the Security Group to the GP and removed everyone else"

Can you please explain - are you using security filtering on the GPO, or are you trying to apply a policy based on which OU a security group is a member of?

While you can use security groups for filtering, in normal circumstances which OU a security group is in has no effect. GPOs are applied according to which OU the the actual user (or computer) accounts are in. The placing of security groups in an OU has no effect on GPOs.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
lamaslany,

Yes, Group Policy Loopback is enabled.

KCTS,

I removed the Authenticated Users from the Security Filtering and added the Security Group.
This is all explained, step-by-step, on the "Terminal Services A to Z" guide that I wrote, available at no cost at http://www.wtslabs.com. The OU structure, groups, how to create/enable the policy and so on.
Download it as it is definitely worth reading if you are willing to understand TS and learn it the proper way.

Cláudio Rodrigues
Citrix CTP

Author

Commented:
Cláudio,

I have your guide and thank you very much.  I have followed the same steps that are provided in your guide but as per my question my issue is that other policies are not applying when the users remote in.
Well the thing is if you followed it step-by-step you should NOT have authenticated users as a group that was having the policy applied. That is what is confusing me.
If you missed that step chances are you may have missed other ones.
Did you follow it 100%, step-by-step?

Cláudio Rodrigues
Citrix CTP

Author

Commented:
Per what I said above, I do NOT have authenticated users as a group. I only have the group to whom the policy should apply.  

The client just asked that instead of using folder redirection to have the shortcuts deleted and readded through through the usrlogon script from a shared folder.  I will try that and update.
I know you NOW do not have 'Authenticated Users' but as per your posts, you DID have that before. That is why I asked if you followed the guide step-by-step as if you did have that set at one point, it shows you missed something and potentially more.
The USRLOGON.CMD script will indeed work. Is it as elegant and polished as folder redirection? No. Does it work? Yes.

Cláudio Rodrigues
Citrix CTP

Author

Commented:
The USRLOGON script worked so I will stick with that.  Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial