troubleshooting Group Policy settings

I'm looking for some help figuring this one out.  I have 2 users that appear to be identical in Active Directory.  Same group memberships, etc.  We are running remote desktop services and have turned off control panel and access to admin tools for those people.  However we have 3 people who need to log in and perform admin functions.  Two of those people's account work correctly and have control panel and admin tools, but the third one does not.

I've tried the group policy setting wizard but that doesn't go deep enough, and I can't figure out how to get it to think I'm coming in from remote desktop (maybe it doesn't matter).  But never the less, the report has very minimal information and not the detail I would have expected.

So the question is, how do I figure out the difference and fix it?
Doug PoulinCTOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You mentioned a report.  Logged on as the user in question, have you run rsop.msc to see what group policy is being applied?  Is this the report you speak of?
I would suggest a few things with this one, feel free to disregard steps that you have taken already.

1 - Check out the local policies for each user.. Start > Run > GPEDIT.MSC
2 - If the users are roaming, try their access on another terminal to replicate the problem, if you cant then wipe/reimage the box you are having problems with
3 - Check to see if they are added a local administrators or if the users are scattered into different group policies locally.
3 - Check to see if their groups are different in Active Directory, all three users should belong to the same groups.
4 - Roaming profile scripts should be check too, just in case they aren't receiving the same login scripts.
if they all are inheriting same policy then it shouldnt be a problem what happen to the third user is he not able to use speicfic application or he cant login at all when you are allowing remote access you need to also configure from the computer properties who can access remotely is the third user group or user itself there
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Doug PoulinCTOAuthor Commented:
Yes I ran rsop.msc.  That is the report that wasn't much help.

Here are some more details:  I created a GPO specifically for remote desktop users.  It has some quite restrictive settings.    Beyond that the only group that is allowed remote desktop access is administrators.  All 3 user accounts are in the windows default "Users" gpo and not in the remote desktop object.

I did log on to this account BEFORE he was added to the administrators group.  Could that be the problem?  Maybe there's settings attached to his account that are hanging around from his previous more restrictive settings.

I have logged on to this account from multiple machines, so it is not a local policy problem.  All 3 users belong to the same groups. (Domain users and administrators)
I'm certain that there are some gpo settings that must be forced to not configured or reset before new settings can be applied.  You might try deleting the profile and logging back on.

How are the GPO settings applying to these users?  I believe Group Policy objects cannot be assigned to the default Users OU.  Is the GPO assigned to the OU where the terminal server lives or is it assigned to the domain and you're controlling it through group membership?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Doug PoulinCTOAuthor Commented:
I gave a B because it was a suggestion and not a definitive answer.  It could have been a C, but if someone helps you out...
Doug PoulinCTOAuthor Commented:
Deleting and re-creating the user account solved the problem.  
You should post the final solution for others who have the same challenge.  Thanks for the points!
Sorry...should have refreshed.  Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.