Group Policy not applying on Terminal Server profiles

Some, (not all) of our users are not getting a group policy when logging into one of our terminal servers. The group policy adds certain sites to the local Intranet and trusted sites.

All users settings are greyed out by the Intranet and Trust sites section of Internet Options however some users do not have any of the sites listed like they should.

When running GPRESULT it shows that the policy is applied.

Why would the group policy apply for some users and not others? The GPO is setup for all domain users.
bkpierceAsked:
Who is Participating?
 
bobalobConnect With a Mentor Commented:
Are there any machine policies being applied that you can see via RSOP? In particular anything around IE Security.

In any case, you can try clearing down cached policies in an affected user's TS Profile; it's a bit of a PITA to perform though.

!! Create a backup of the affected user's NTUSER.dat prior to the following steps !!

Mount their NTUSER.DAT in regedit as a local administrator:-
1) Run regedit
2) Highlight HKEY_USERS key
3) File - Load Hive - Browse to user's NTUSER.DAT - mount as TS_User

Clear cached policies:-
1) Delete subkeys within HKEY_USERS\TS_User\Software\Policies\
2) Ensure permissions on HKEY_USERS\TS_User\Software\Policies are User:R, Administrators:F, System:F
3) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Policies\
4) Ensure permissions on above key are User:R, Administrators:F, System:F
5) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
6) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\

Unmount their NTUSER.DAT (this is a very important step!)
1) Highlight HKEY_USERs\TS_User
2) File - Unload Hive [ok]

Delete ntuser.pol file (this will likely be a hidden system file).

0
 
bobalobCommented:
RSOP.msc is a little more intuitive when diagnosing Group Policy issues, and will give better indication of where the problem may lie.

You can right click on either Computer or User configuration within RSOP and go to Properties to see the objects applied (and in what order), plus any error information attached to each policy area.

Please report back any findings.
0
 
zeotechCommented:
Are you using a loopback policy?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
iedenCommented:
add a login script that forces policy...

@echo off
gpupdate /force
:end
0
 
bkpierceAuthor Commented:
Thanks for the quick replies. I have attached some screen shots from the RSOP, it's showing the policy twice?? And then on the error informaiton tab it says success but no data? I have also attached a copy of the settings from the GPO that indeed show sites listed, plus other users are getting the policy fine so I'm not sure why it's saying no data

Loopback policy was not enabled but I did enable it and run a gpupdate /force and the sites are still not showing in the trusted or local intranet sites.

Running gpupdate/force in a script wont work. I've tried running it manually from a test user account and it says everything is refreshed ok but still no sites listed in trusted or local intranet.
RSOP.jpg
GPO.jpg
0
 
bkpierceAuthor Commented:
And looking at the RSOP everything looks OK, all the sites are listed in there. Haven't been able to figure out why they are not showing up in Internet Explorer.
0
 
bobalobCommented:
You can tick the "Display scope of management" and "Display revision information" boxes to try and determine why the policy is listed twice.

The success (no data) is normal, but you should definitely see those sites you've blanked in the Trusted Sites list if the policy is being applied correctly.

Might be worth checking permissions on the CURRENT_USER hive within regedit to make sure the user, system and Administrators have sufficient access.
0
 
bkpierceAuthor Commented:
The scope and revision numbers are identical.

I check the Registry permissions and everything looked ok.
RSOP2.jpg
0
 
iedenCommented:
Have you attempted a disjoin and rejoin?
disjoin computer, add to WORKGROUP/WORKGROUP reboot.
Log on as Local Administrator run gpupdate /force.
Join domain reboot.
log on with domain account that has local administrator equivilency, run gpupdate /force
log off and have user log on to verify that settings have been changed.
0
 
bkpierceAuthor Commented:
Disjoining and rejoining would have to be an absolute last resort. This terminal server is in a production enviroment and is in use 24/7.
0
 
iedenCommented:
just try a rejoin then. You can refresh teh computer account by rejoining the domain "yes reboot is required" use Domain Admin creds when rejoining why already a member of a domain.
0
 
bobalobCommented:
From OP, I understood it was only particular *user* accounts being affected, not the whole TS instance? Is this correct?
0
 
bobalobCommented:
Also just throwing this wildcard in... Is the TS service packed to the latest level? I recall there were problems with site to zone GPOs prior to one of the SPs.
0
 
bkpierceAuthor Commented:
Correct it's only less than 5 users that are not getting the GPO, not the entire server. Ther server is running WIndows Server 2003 Enterprise with SP2 and all the latest updates.
0
 
bkpierceAuthor Commented:
Nothing on the local machine policy. I even tried creating the domain GPO policy on the local policy to see if it would take and it did not.

I have been using a test user account, and one thing I tried last night was deleting their profile on the TS box completely, I thought possibly maybe something had become corrupted with their profile.  

I will give the registry modifcation a shot and see if it helps.
0
 
bkpierceAuthor Commented:
I ended up talking to Microsoft on this and turns out it the policy was applying fine but Internet Explorer enhanced security was preventing it from being applied. Running a simple script for the affected users from the website below fixed the problem. After running the script did a gpupdate /force and all the sites showed up in the trusted sites list.

http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.