Group Policy not applying on Terminal Server profiles

RSOP.msc is a little more intuitive when diagnosing Group Policy issues, and will give better indication of where the problem may lie.

You can right click on either Computer or User configuration within RSOP and go to Properties to see the objects applied (and in what order), plus any error information attached to each policy area.

Please report back any findings.

Are you using a loopback policy?

add a login script that forces policy...

@echo off
gpupdate /force
:end

Thanks for the quick replies. I have attached some screen shots from the RSOP, it's showing the policy twice?? And then on the error informaiton tab it says success but no data? I have also attached a copy of the settings from the GPO that indeed show sites listed, plus other users are getting the policy fine so I'm not sure why it's saying no data

Loopback policy was not enabled but I did enable it and run a gpupdate /force and the sites are still not showing in the trusted or local intranet sites.

Running gpupdate/force in a script wont work. I've tried running it manually from a test user account and it says everything is refreshed ok but still no sites listed in trusted or local intranet.
RSOP.jpg
GPO.jpg

And looking at the RSOP everything looks OK, all the sites are listed in there. Haven't been able to figure out why they are not showing up in Internet Explorer.

You can tick the "Display scope of management" and "Display revision information" boxes to try and determine why the policy is listed twice.

The success (no data) is normal, but you should definitely see those sites you've blanked in the Trusted Sites list if the policy is being applied correctly.

Might be worth checking permissions on the CURRENT_USER hive within regedit to make sure the user, system and Administrators have sufficient access.

The scope and revision numbers are identical.

I check the Registry permissions and everything looked ok.
RSOP2.jpg

Have you attempted a disjoin and rejoin?
disjoin computer, add to WORKGROUP/WORKGROUP reboot.
Log on as Local Administrator run gpupdate /force.
Join domain reboot.
log on with domain account that has local administrator equivilency, run gpupdate /force
log off and have user log on to verify that settings have been changed.

Disjoining and rejoining would have to be an absolute last resort. This terminal server is in a production enviroment and is in use 24/7.

just try a rejoin then. You can refresh teh computer account by rejoining the domain "yes reboot is required" use Domain Admin creds when rejoining why already a member of a domain.

From OP, I understood it was only particular *user* accounts being affected, not the whole TS instance? Is this correct?

Also just throwing this wildcard in... Is the TS service packed to the latest level? I recall there were problems with site to zone GPOs prior to one of the SPs.

Correct it's only less than 5 users that are not getting the GPO, not the entire server. Ther server is running WIndows Server 2003 Enterprise with SP2 and all the latest updates.

Nothing on the local machine policy. I even tried creating the domain GPO policy on the local policy to see if it would take and it did not.

I have been using a test user account, and one thing I tried last night was deleting their profile on the TS box completely, I thought possibly maybe something had become corrupted with their profile.  

I will give the registry modifcation a shot and see if it helps.

I ended up talking to Microsoft on this and turns out it the policy was applying fine but Internet Explorer enhanced security was preventing it from being applied. Running a simple script for the affected users from the website below fixed the problem. After running the script did a gpupdate /force and all the sites showed up in the trusted sites list.

http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx