I have scoured the EE knowledgebase and although I have found many postings that seem to be on-point that have accurate and helpful information, I am still at a loss for what is going on with my Terminal Server GPOs... Let me give as much background and info as possible...
I have a single Terminal Server. It runs in a remote environment in a domain where there are no "local" users besides administrators. So, I can freely put domain users and groups in special OUs without worying about the effects of the policies when users log in to different machines in the domain.
I have been trying to lock down the remote desktop. Here are the steps I have taken:
1) Created a new OU for the terminal server machine. Added a new GPO with only loopback enabled (have tried both merge and replace but it is currently in merge mode). Checked the "disable user configuration settings" on the GPO. Moved the Terminal Server machine into the OU. Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users. (have tried with "block inheritance" checked and unchecked)
2) Created 2nd new OU for target users of the lockdoen policies. Added GPO with all of the user configuration settings. Checked the "disable computer configuration settings" . Moved the target domain users into it. Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users. (have tried with "block inheritance" checked and unchecked)
Initially everything worked great. User remote desktop sessions were restricted, folders were properly redirected and all policies appeared to work properly. After a few hours, the policies do not appear to be in effect. User can log in and, for example, access the Control Panel. Nothing changed in the AD settings between "working" and "not working".
I have "jimmied" with it in many ways - tried adding a security group to the user OU and then adding users to it, adding named users to the GPO ACL, etc. Nothing I do now seems to make a difference.
I have a suspicion that somehow a machine-level (or some other) GPO is somehow overriding the user-level GPO or some such. However, I am clearly not smart or experienced enough to figure it out on my own. So, any help would be greatly appreciated.