Solved

Group Policy not applying on Terminal Server profiles

Posted on 2010-09-02
16
1,803 Views
Last Modified: 2012-05-10
Some, (not all) of our users are not getting a group policy when logging into one of our terminal servers. The group policy adds certain sites to the local Intranet and trusted sites.

All users settings are greyed out by the Intranet and Trust sites section of Internet Options however some users do not have any of the sites listed like they should.

When running GPRESULT it shows that the policy is applied.

Why would the group policy apply for some users and not others? The GPO is setup for all domain users.
0
Comment
Question by:bkpierce
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 3

Expert Comment

by:bobalob
ID: 33587507
RSOP.msc is a little more intuitive when diagnosing Group Policy issues, and will give better indication of where the problem may lie.

You can right click on either Computer or User configuration within RSOP and go to Properties to see the objects applied (and in what order), plus any error information attached to each policy area.

Please report back any findings.
0
 
LVL 6

Expert Comment

by:zeotech
ID: 33587537
Are you using a loopback policy?
0
 
LVL 7

Expert Comment

by:ieden
ID: 33587717
add a login script that forces policy...

@echo off
gpupdate /force
:end
0
 

Author Comment

by:bkpierce
ID: 33587817
Thanks for the quick replies. I have attached some screen shots from the RSOP, it's showing the policy twice?? And then on the error informaiton tab it says success but no data? I have also attached a copy of the settings from the GPO that indeed show sites listed, plus other users are getting the policy fine so I'm not sure why it's saying no data

Loopback policy was not enabled but I did enable it and run a gpupdate /force and the sites are still not showing in the trusted or local intranet sites.

Running gpupdate/force in a script wont work. I've tried running it manually from a test user account and it says everything is refreshed ok but still no sites listed in trusted or local intranet.
RSOP.jpg
GPO.jpg
0
 

Author Comment

by:bkpierce
ID: 33588058
And looking at the RSOP everything looks OK, all the sites are listed in there. Haven't been able to figure out why they are not showing up in Internet Explorer.
0
 
LVL 3

Expert Comment

by:bobalob
ID: 33588352
You can tick the "Display scope of management" and "Display revision information" boxes to try and determine why the policy is listed twice.

The success (no data) is normal, but you should definitely see those sites you've blanked in the Trusted Sites list if the policy is being applied correctly.

Might be worth checking permissions on the CURRENT_USER hive within regedit to make sure the user, system and Administrators have sufficient access.
0
 

Author Comment

by:bkpierce
ID: 33588478
The scope and revision numbers are identical.

I check the Registry permissions and everything looked ok.
RSOP2.jpg
0
 
LVL 7

Expert Comment

by:ieden
ID: 33588663
Have you attempted a disjoin and rejoin?
disjoin computer, add to WORKGROUP/WORKGROUP reboot.
Log on as Local Administrator run gpupdate /force.
Join domain reboot.
log on with domain account that has local administrator equivilency, run gpupdate /force
log off and have user log on to verify that settings have been changed.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:bkpierce
ID: 33588684
Disjoining and rejoining would have to be an absolute last resort. This terminal server is in a production enviroment and is in use 24/7.
0
 
LVL 7

Expert Comment

by:ieden
ID: 33588700
just try a rejoin then. You can refresh teh computer account by rejoining the domain "yes reboot is required" use Domain Admin creds when rejoining why already a member of a domain.
0
 
LVL 3

Expert Comment

by:bobalob
ID: 33594664
From OP, I understood it was only particular *user* accounts being affected, not the whole TS instance? Is this correct?
0
 
LVL 3

Expert Comment

by:bobalob
ID: 33594670
Also just throwing this wildcard in... Is the TS service packed to the latest level? I recall there were problems with site to zone GPOs prior to one of the SPs.
0
 

Author Comment

by:bkpierce
ID: 33596238
Correct it's only less than 5 users that are not getting the GPO, not the entire server. Ther server is running WIndows Server 2003 Enterprise with SP2 and all the latest updates.
0
 
LVL 3

Accepted Solution

by:
bobalob earned 500 total points
ID: 33597145
Are there any machine policies being applied that you can see via RSOP? In particular anything around IE Security.

In any case, you can try clearing down cached policies in an affected user's TS Profile; it's a bit of a PITA to perform though.

!! Create a backup of the affected user's NTUSER.dat prior to the following steps !!

Mount their NTUSER.DAT in regedit as a local administrator:-
1) Run regedit
2) Highlight HKEY_USERS key
3) File - Load Hive - Browse to user's NTUSER.DAT - mount as TS_User

Clear cached policies:-
1) Delete subkeys within HKEY_USERS\TS_User\Software\Policies\
2) Ensure permissions on HKEY_USERS\TS_User\Software\Policies are User:R, Administrators:F, System:F
3) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Policies\
4) Ensure permissions on above key are User:R, Administrators:F, System:F
5) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\
6) Delete subkeys within HKEY_USERS\TS_User\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\

Unmount their NTUSER.DAT (this is a very important step!)
1) Highlight HKEY_USERs\TS_User
2) File - Unload Hive [ok]

Delete ntuser.pol file (this will likely be a hidden system file).

0
 

Author Comment

by:bkpierce
ID: 33597773
Nothing on the local machine policy. I even tried creating the domain GPO policy on the local policy to see if it would take and it did not.

I have been using a test user account, and one thing I tried last night was deleting their profile on the TS box completely, I thought possibly maybe something had become corrupted with their profile.  

I will give the registry modifcation a shot and see if it helps.
0
 

Author Comment

by:bkpierce
ID: 33631678
I ended up talking to Microsoft on this and turns out it the policy was applying fine but Internet Explorer enhanced security was preventing it from being applied. Running a simple script for the affected users from the website below fixed the problem. After running the script did a gpupdate /force and all the sites showed up in the trusted sites list.

http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now