troubleshooting Group Policy settings

I'm looking for some help figuring this one out.  I have 2 users that appear to be identical in Active Directory.  Same group memberships, etc.  We are running remote desktop services and have turned off control panel and access to admin tools for those people.  However we have 3 people who need to log in and perform admin functions.  Two of those people's account work correctly and have control panel and admin tools, but the third one does not.

I've tried the group policy setting wizard but that doesn't go deep enough, and I can't figure out how to get it to think I'm coming in from remote desktop (maybe it doesn't matter).  But never the less, the report has very minimal information and not the detail I would have expected.

So the question is, how do I figure out the difference and fix it?
Who is Participating?
digitapConnect With a Mentor Commented:
I'm certain that there are some gpo settings that must be forced to not configured or reset before new settings can be applied.  You might try deleting the profile and logging back on.

How are the GPO settings applying to these users?  I believe Group Policy objects cannot be assigned to the default Users OU.  Is the GPO assigned to the OU where the terminal server lives or is it assigned to the domain and you're controlling it through group membership?
You mentioned a report.  Logged on as the user in question, have you run rsop.msc to see what group policy is being applied?  Is this the report you speak of?
I would suggest a few things with this one, feel free to disregard steps that you have taken already.

1 - Check out the local policies for each user.. Start > Run > GPEDIT.MSC
2 - If the users are roaming, try their access on another terminal to replicate the problem, if you cant then wipe/reimage the box you are having problems with
3 - Check to see if they are added a local administrators or if the users are scattered into different group policies locally.
3 - Check to see if their groups are different in Active Directory, all three users should belong to the same groups.
4 - Roaming profile scripts should be check too, just in case they aren't receiving the same login scripts.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

if they all are inheriting same policy then it shouldnt be a problem what happen to the third user is he not able to use speicfic application or he cant login at all when you are allowing remote access you need to also configure from the computer properties who can access remotely is the third user group or user itself there
geekdad1Author Commented:
Yes I ran rsop.msc.  That is the report that wasn't much help.

Here are some more details:  I created a GPO specifically for remote desktop users.  It has some quite restrictive settings.    Beyond that the only group that is allowed remote desktop access is administrators.  All 3 user accounts are in the windows default "Users" gpo and not in the remote desktop object.

I did log on to this account BEFORE he was added to the administrators group.  Could that be the problem?  Maybe there's settings attached to his account that are hanging around from his previous more restrictive settings.

I have logged on to this account from multiple machines, so it is not a local policy problem.  All 3 users belong to the same groups. (Domain users and administrators)
geekdad1Author Commented:
I gave a B because it was a suggestion and not a definitive answer.  It could have been a C, but if someone helps you out...
geekdad1Author Commented:
Deleting and re-creating the user account solved the problem.  
You should post the final solution for others who have the same challenge.  Thanks for the points!
Sorry...should have refreshed.  Thanks again!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.