Solved

Why isn't my GPO being applied? (Terminal Server, 2003)

Posted on 2010-09-09
11
1,145 Views
Last Modified: 2012-05-10
I have scoured the EE knowledgebase and although I have found many postings that seem to be on-point that have accurate and helpful information, I am still at a loss for what is going on with my Terminal Server GPOs...    Let me give as much background and info as possible...

I have a single Terminal Server.  It runs in a remote environment in a domain where there are no "local" users besides administrators.  So, I can freely put domain users and groups in special OUs without worying about the effects of the policies when users log in to different machines in the domain.

I have been trying to lock down the remote desktop.  Here are the steps I have taken:

1) Created a new OU for the terminal server machine.  Added a new GPO with only loopback enabled (have tried both merge and replace but it is currently in merge mode).  Checked the "disable user configuration settings" on the GPO.  Moved the Terminal Server machine into the OU.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

2) Created 2nd new OU for target users of the lockdoen policies.  Added GPO with all of the user configuration settings.   Checked the "disable computer configuration settings" .    Moved the target domain users into it.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

Initially everything worked great.  User remote desktop sessions were restricted, folders were properly redirected and all  policies appeared to work properly.    After a few hours, the policies do not appear to be in effect.  User can log in and, for example, access the Control Panel.  Nothing changed in the AD settings between "working" and "not working".

I have "jimmied" with it in many ways - tried adding a security group to the user OU and then adding users to it, adding named users to the GPO ACL, etc.  Nothing I do now seems to make a difference.

I have a suspicion that somehow a machine-level (or some other) GPO is somehow overriding the user-level GPO or some such.  However, I am clearly not smart or experienced enough to figure it out on my own.  So, any help would be greatly appreciated.
0
Comment
Question by:ecsginc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33639074
What you can do is logon to the machine with the issues and use rsop.msc from the (run). This will give you a list of all of the policies that are being applied. It will also list the policies that have also failed. Error information tab will give you more details on why the policy failed. You can also refer to the Event Viewer on the local machine to get more information on why the policy failed.

If the policies have not failed and been applied properly (without being overridden) then this is something you are missing in the actual policy editor.

Hope this helps~!
0
 

Author Comment

by:ecsginc
ID: 33639901
I went ahead and started almost from scratch again.  I deleted the GPOs for both OUs.  I then re-created them as described above with the computer settings (pretty much just loopback) in one GPO and the user settings in the other. Each linked to the apprpriate OU.  Dropped users in to the user OU and everything is working for the moment.  Running rsop shows that all of the expected user polices are being applied.

Now, I will wait to see if "time" makes a difference.  When I went to bed lst night everything worked and when I got up this morning it was broken.  If it happens again, I will run RSOP and see what is applied and update with more details.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33639973
Some GPO's will fail if there are pending updates requiring a reboot. This is not always the case but it does happen, as i have experienced this many of times when applying GPO's to client machines.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:ecsginc
ID: 33640120
good tip.  That is the case on this terminal server.  But...

Logged in again a few minutes later and the GPO was not successfully applied.  Same user, etc.  Checked the RSOP results and the policy is partially applied.  Checked the event log and it appears that the folder redirection failed.  It definitely worked before for the prior sessions and the event log shows each successful folder redirection.

It looks like all policies prior to the folder redirection are applied and all others aren't (makes sense)

The error is for the first folder redirection (Application Data) and appears to be specifically "desktop.ini".  The exact error is attached (server names, etc changed..)

Looking up info on that error now.  Any idea why it would succeed several tiems and then fail - never to succeed again?



"Failed to perform redirection of folder Application Data. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to <\\server\share$\Appdata\%USERNAME%\Application Data>.  Files were being moved from <C:\Documents and Settings\user\Application Data> to <\\server\share$\Appdata\user\Application Data>. The following error occurred while copying <C:\Documents and Settings\user\Application Data\desktop.ini> to <\\serv$\Appdata\user\Application Data\desktop.ini>: 
The security descriptor structure is invalid.

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33640187
Not sure why it has successfully applied in the past. What you can do it move the GPO that is failing high up the priority list from the GPMC.msc console. From here you should be able to do more testing. You also might want to temporarily disable the Folder Redirection policy and do your testing.
0
 

Author Comment

by:ecsginc
ID: 33640270
I think the folder redirection failure is the entire issue.  Once the redirection fails the rest of the policy is ignored (apparently).   So, getting down to the bottom of the folder redirection failure is going to solve the problem, I think.   The baffling thing is that the redirection worked (I can see the resultant data in the redirected location and evidence of the successful redirections from prior logins in the event log) for the first few attempts and then failed.   I am researching the error now which seems to be rooted in NTFS permisions for the share where the data is being redirected.  But, like I said, if the permissions are wrong then it should have failed out-of-the gate, right?  Anyway, I will post an update once I fix the folder redirection.

I really appreciate your assistance so far...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33640292
Excellent, gald to hear that. Always here to help!
0
 

Author Comment

by:ecsginc
ID: 33640629
Very frustrating.  Nothing I do now (including disabling folder redirection) gets me past the GPO issues.  No new information (success or error) in event log either way.
0
 

Author Comment

by:ecsginc
ID: 33643949
After messing with it for several more hours, rebooting the terminal server and domain controller a few times (after applying all updates, as suggested) I had made no progress.   However, using "gpresult /v" and user environment debugging I discovered a couple of things:
First, the group policy from the user OU containing the user GPO wasn't referenced at all.  It was basically applying no GPO (not even the default domain user GPO).  Oddly enough, it was using the login script from the GPO in the user OU.  There were also no new entries in the Event Log.  It was as if the GPO was put in some kind of “jail” after the folder redirection error.
Second, the folders were still referring to the old redirected location even though I had changed the location in GPO to redirect to local.  This second issue seems to be commonplace and doesn't always seem to have an easy solution.   In some cases there appears to be some information left in the user's profile that gets loaded in the registry and refers to the old redirection location even after the GPO has been changed/removed.  Since the number of users that were screwed up is pretty limited I didn’t chase that rabbit too far down the hole since I could delete the users and their profiles and start over, if necessary.
Anyway, I am pretty sure the original problem was a permission issue on the share where the user folders were being directed (as documented here :  http://support.microsoft.com/kb/232692)
I corrected the permissions this morning but because of the above two issues it had no positive effect on my situation.  In fact, nothing I did (seemingly) made the users see the GPO.  I moved them in and out, created brand new domain users and put them in the GPO, etc.  In no case was the GPO ever applied even though the logon script in the GPO was executed.  (The logon script had a single entry to map a network drive).
Here's what I ended up doing AFTER ensuring all of the permissions issues were corrected (using the easily located Microsoft advice and best practices found here http://technet.microsoft.com/en-us/library/cc739647(WS.10).aspx and here http://support.microsoft.com/kb/274443/)
1) I moved all users and computers back to the default OUs.
2) I deleted and removed the GPOs
3) I deleted the OUs
4) I tracked down the user's redirected folders on the network share and ensured everything made it back to the original profile location (if necessary - results may vary).
5) I completely removed the network share version of the redirected folders.  In some cases I had to assume ownership of the folders before removing them.
6) I recreated the OUs and GPOs as described in the original question.
7) I put the terminal server back in the computer OU and the target users back in the user OU.

Now everything seems to be functioning properly since the folder redirections are no longer failing.
What did I learn today?  I learned that not following the suggested best practices on NFS and Share permissions for redirected folders can yield catastrophic results with regards to the application of user GPO.  And it can be extremely difficult to correct the problems created as a result of the permissions issues.
I also learned how to utilize the policy tools (rsop and gpresult) to at least verify what's being applied.
I hope that posting this information proves helpful for someone else…

I am going to award Spec01 points for taking the time to advise me and putting me on the right troubleshooting path.
0
 

Author Comment

by:ecsginc
ID: 33646382
FYI - I should have waited before claiming success and closing this question.

After a few hours I am right back to square 1.  This time there is lots of info in the Event Viewer reflecting the folder redirection policies from the GPO (Some of the debugging I turned on must have generated these...) The correct GPO is named so I know that on log in the GPO is being referenced.  There are no errors and all of the folder redirection messages say "successful".

Firing up RSOP shows me that virtually nothing out of the policy is present.  (See screenshot)  However, the dummy Internet Proxy settings are definitely taken from the user's GPO so it is being referenced.

I have included the output from "gpresults /v"  which shows that there is no group policy being applied.  The Terminal Server's Loopback Policy is referenced but only as an unapplied GPO (I am guessing this is because the user setting for the loopback GPO were disabled).  There is no reference to the name of the user GPO in the user's OU  (which is "Vox Remote Policy").  When I ran "gpresults" last night in the functioning environment the user's GPO was listed under "Applied Group Policy Objects" and the loopback wasn't referenced at all.

Anyway - back to square 1...  


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/10/2010 at 9:42:02 AM



RSOP data for HOSTING\ruser on ECSG-TS01 : Logging Mode
--------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003 Standard x64 Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\ecsg-fs01\Vox_User_Data$\Profiles\ruser
Local Profile:               C:\Documents and Settings\ruser
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Reboot User,OU=Vox Remote Users,DC=hosting,DC=ecsginc,DC=com
    Last time Group Policy was applied: 9/10/2010 at 9:33:20 AM
    Group Policy was applied from:      ECSG-FS01.hosting.ecsginc.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        HOSTING
    Domain Type:                        Windows 2000
    
    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Loopback Policy
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        VOX Users
        
    The user has the following security privileges
    ----------------------------------------------


    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: N/A
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   192.168.0.100:80
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

        Internet Explorer URLs
        ----------------------
            GPO: N/A
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: N/A
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: N/A
                Import the current Program Settings: No

Open in new window

RSOP.JPG
0
 

Accepted Solution

by:
ecsginc earned 0 total points
ID: 33652449
OK.  I *think* I have finally discovered the GPO problem and implemented a solution.  We'll see.  I think the GPO refresh interval may be what explains the "works now and not two hours from now" phenomenon that I have been experiencing.

It turns out that the issue is the Loopback setting in the server's OU.  I suppose I didn't really understand this the first 900 times I read the Microsoft information regarding applying GPO's to Terminal Servers (http://support.microsoft.com/kb/260370, http://support.microsoft.com/kb/231287/).  The language under "Method 2" in that article seems ambiguous.  It first says that when Loopback Processing is enabled that ONLY  the user configuration from GPO's contained in the computer's OU will be applied.  It then goes on to say that any GPO's contained in the user's OU will also be applied.  I was relying on that second sentence to be true (as long as "merge" was selected) which is why I set up a separate OU with the user settings.  I found an old thread on a different forum related to this issue whereby one of the users reiterated that only the user settings from the GPO's in the server's OU will be applied - period.  So, it was beginning to look like setting up the separate OU for the user's GPO settings was not going to work.

So, I gave it a try by doing the following:

1) I moved my users back to the default built-in "users" OU.
2) I removed the user OU I created (I did not remove the GPO with user settings)
3) I linked the GPO with user settings to the server's OU.

And, presto!  Everything was applied and functioned properly.  The RSOP and gpresults stuff finally looked sane, too.

For completeness in case someone else lands on this question looking for answers - here is the complete sequence of set-up steps I used to get GPO's properly applied to users when logged on to my Terminal Server:

1) Create a new OU (for the Terminal Server)
2) Add a GPO to the new OU (block inheritance, disable user settings) and enable only loopback processing.  Choose "Merge" mode so that user settings can be applied.
3) Add a 2nd GPO to the new OU (block inheritance, disable computer settings) and enable all of the user policies you desire.

if you want these policies to apply to all users that log on to the terminal server then skip to step 9 since the policy is applied to all authenticated uses by default.

4) edit the ACL for the user GPO (properties->security tab) and uncheck the "Allow" for "Apply Group Policy" for the "Authenticated Users" group.
5) create a new security group (for the restricted TS users)
6) edit the ACL for the user GPO and add the new Security Group.  make sure the Apply GPO is allowed for the group.
7) add your target users to the new Security Group
8) repeat 5-7 for each distinct set of policies you want to create.

9) Move the server(s) into the new OU that contains the policies.

Also remember that if you want any administrator groups or other super users to be excluded you may also need to check "deny" for those groups in each GPO's ACL list for the new OU.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Learn about cloud computing and its benefits for small business owners.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question