Solved

Why isn't my GPO being applied? (Terminal Server, 2003)

Posted on 2010-09-09
11
1,136 Views
Last Modified: 2012-05-10
I have scoured the EE knowledgebase and although I have found many postings that seem to be on-point that have accurate and helpful information, I am still at a loss for what is going on with my Terminal Server GPOs...    Let me give as much background and info as possible...

I have a single Terminal Server.  It runs in a remote environment in a domain where there are no "local" users besides administrators.  So, I can freely put domain users and groups in special OUs without worying about the effects of the policies when users log in to different machines in the domain.

I have been trying to lock down the remote desktop.  Here are the steps I have taken:

1) Created a new OU for the terminal server machine.  Added a new GPO with only loopback enabled (have tried both merge and replace but it is currently in merge mode).  Checked the "disable user configuration settings" on the GPO.  Moved the Terminal Server machine into the OU.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

2) Created 2nd new OU for target users of the lockdoen policies.  Added GPO with all of the user configuration settings.   Checked the "disable computer configuration settings" .    Moved the target domain users into it.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

Initially everything worked great.  User remote desktop sessions were restricted, folders were properly redirected and all  policies appeared to work properly.    After a few hours, the policies do not appear to be in effect.  User can log in and, for example, access the Control Panel.  Nothing changed in the AD settings between "working" and "not working".

I have "jimmied" with it in many ways - tried adding a security group to the user OU and then adding users to it, adding named users to the GPO ACL, etc.  Nothing I do now seems to make a difference.

I have a suspicion that somehow a machine-level (or some other) GPO is somehow overriding the user-level GPO or some such.  However, I am clearly not smart or experienced enough to figure it out on my own.  So, any help would be greatly appreciated.
0
Comment
Question by:ecsginc
  • 7
  • 4
11 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
What you can do is logon to the machine with the issues and use rsop.msc from the (run). This will give you a list of all of the policies that are being applied. It will also list the policies that have also failed. Error information tab will give you more details on why the policy failed. You can also refer to the Event Viewer on the local machine to get more information on why the policy failed.

If the policies have not failed and been applied properly (without being overridden) then this is something you are missing in the actual policy editor.

Hope this helps~!
0
 

Author Comment

by:ecsginc
Comment Utility
I went ahead and started almost from scratch again.  I deleted the GPOs for both OUs.  I then re-created them as described above with the computer settings (pretty much just loopback) in one GPO and the user settings in the other. Each linked to the apprpriate OU.  Dropped users in to the user OU and everything is working for the moment.  Running rsop shows that all of the expected user polices are being applied.

Now, I will wait to see if "time" makes a difference.  When I went to bed lst night everything worked and when I got up this morning it was broken.  If it happens again, I will run RSOP and see what is applied and update with more details.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Some GPO's will fail if there are pending updates requiring a reboot. This is not always the case but it does happen, as i have experienced this many of times when applying GPO's to client machines.
0
 

Author Comment

by:ecsginc
Comment Utility
good tip.  That is the case on this terminal server.  But...

Logged in again a few minutes later and the GPO was not successfully applied.  Same user, etc.  Checked the RSOP results and the policy is partially applied.  Checked the event log and it appears that the folder redirection failed.  It definitely worked before for the prior sessions and the event log shows each successful folder redirection.

It looks like all policies prior to the folder redirection are applied and all others aren't (makes sense)

The error is for the first folder redirection (Application Data) and appears to be specifically "desktop.ini".  The exact error is attached (server names, etc changed..)

Looking up info on that error now.  Any idea why it would succeed several tiems and then fail - never to succeed again?



"Failed to perform redirection of folder Application Data. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to <\\server\share$\Appdata\%USERNAME%\Application Data>.  Files were being moved from <C:\Documents and Settings\user\Application Data> to <\\server\share$\Appdata\user\Application Data>. The following error occurred while copying <C:\Documents and Settings\user\Application Data\desktop.ini> to <\\serv$\Appdata\user\Application Data\desktop.ini>: 

The security descriptor structure is invalid.

Open in new window

0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Not sure why it has successfully applied in the past. What you can do it move the GPO that is failing high up the priority list from the GPMC.msc console. From here you should be able to do more testing. You also might want to temporarily disable the Folder Redirection policy and do your testing.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ecsginc
Comment Utility
I think the folder redirection failure is the entire issue.  Once the redirection fails the rest of the policy is ignored (apparently).   So, getting down to the bottom of the folder redirection failure is going to solve the problem, I think.   The baffling thing is that the redirection worked (I can see the resultant data in the redirected location and evidence of the successful redirections from prior logins in the event log) for the first few attempts and then failed.   I am researching the error now which seems to be rooted in NTFS permisions for the share where the data is being redirected.  But, like I said, if the permissions are wrong then it should have failed out-of-the gate, right?  Anyway, I will post an update once I fix the folder redirection.

I really appreciate your assistance so far...
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
Excellent, gald to hear that. Always here to help!
0
 

Author Comment

by:ecsginc
Comment Utility
Very frustrating.  Nothing I do now (including disabling folder redirection) gets me past the GPO issues.  No new information (success or error) in event log either way.
0
 

Author Comment

by:ecsginc
Comment Utility
After messing with it for several more hours, rebooting the terminal server and domain controller a few times (after applying all updates, as suggested) I had made no progress.   However, using "gpresult /v" and user environment debugging I discovered a couple of things:
First, the group policy from the user OU containing the user GPO wasn't referenced at all.  It was basically applying no GPO (not even the default domain user GPO).  Oddly enough, it was using the login script from the GPO in the user OU.  There were also no new entries in the Event Log.  It was as if the GPO was put in some kind of “jail” after the folder redirection error.
Second, the folders were still referring to the old redirected location even though I had changed the location in GPO to redirect to local.  This second issue seems to be commonplace and doesn't always seem to have an easy solution.   In some cases there appears to be some information left in the user's profile that gets loaded in the registry and refers to the old redirection location even after the GPO has been changed/removed.  Since the number of users that were screwed up is pretty limited I didn’t chase that rabbit too far down the hole since I could delete the users and their profiles and start over, if necessary.
Anyway, I am pretty sure the original problem was a permission issue on the share where the user folders were being directed (as documented here :  http://support.microsoft.com/kb/232692)
I corrected the permissions this morning but because of the above two issues it had no positive effect on my situation.  In fact, nothing I did (seemingly) made the users see the GPO.  I moved them in and out, created brand new domain users and put them in the GPO, etc.  In no case was the GPO ever applied even though the logon script in the GPO was executed.  (The logon script had a single entry to map a network drive).
Here's what I ended up doing AFTER ensuring all of the permissions issues were corrected (using the easily located Microsoft advice and best practices found here http://technet.microsoft.com/en-us/library/cc739647(WS.10).aspx and here http://support.microsoft.com/kb/274443/)
1) I moved all users and computers back to the default OUs.
2) I deleted and removed the GPOs
3) I deleted the OUs
4) I tracked down the user's redirected folders on the network share and ensured everything made it back to the original profile location (if necessary - results may vary).
5) I completely removed the network share version of the redirected folders.  In some cases I had to assume ownership of the folders before removing them.
6) I recreated the OUs and GPOs as described in the original question.
7) I put the terminal server back in the computer OU and the target users back in the user OU.

Now everything seems to be functioning properly since the folder redirections are no longer failing.
What did I learn today?  I learned that not following the suggested best practices on NFS and Share permissions for redirected folders can yield catastrophic results with regards to the application of user GPO.  And it can be extremely difficult to correct the problems created as a result of the permissions issues.
I also learned how to utilize the policy tools (rsop and gpresult) to at least verify what's being applied.
I hope that posting this information proves helpful for someone else…

I am going to award Spec01 points for taking the time to advise me and putting me on the right troubleshooting path.
0
 

Author Comment

by:ecsginc
Comment Utility
FYI - I should have waited before claiming success and closing this question.

After a few hours I am right back to square 1.  This time there is lots of info in the Event Viewer reflecting the folder redirection policies from the GPO (Some of the debugging I turned on must have generated these...) The correct GPO is named so I know that on log in the GPO is being referenced.  There are no errors and all of the folder redirection messages say "successful".

Firing up RSOP shows me that virtually nothing out of the policy is present.  (See screenshot)  However, the dummy Internet Proxy settings are definitely taken from the user's GPO so it is being referenced.

I have included the output from "gpresults /v"  which shows that there is no group policy being applied.  The Terminal Server's Loopback Policy is referenced but only as an unapplied GPO (I am guessing this is because the user setting for the loopback GPO were disabled).  There is no reference to the name of the user GPO in the user's OU  (which is "Vox Remote Policy").  When I ran "gpresults" last night in the functioning environment the user's GPO was listed under "Applied Group Policy Objects" and the loopback wasn't referenced at all.

Anyway - back to square 1...  



Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

Copyright (C) Microsoft Corp. 1981-2001



Created On 9/10/2010 at 9:42:02 AM







RSOP data for HOSTING\ruser on ECSG-TS01 : Logging Mode

--------------------------------------------------------



OS Type:                     Microsoft(R) Windows(R) Server 2003 Standard x64 Edition

OS Configuration:            Member Server

OS Version:                  5.2.3790

Terminal Server Mode:        Application Server

Site Name:                   N/A

Roaming Profile:             \\ecsg-fs01\Vox_User_Data$\Profiles\ruser

Local Profile:               C:\Documents and Settings\ruser

Connected over a slow link?: No





USER SETTINGS

--------------

    CN=Reboot User,OU=Vox Remote Users,DC=hosting,DC=ecsginc,DC=com

    Last time Group Policy was applied: 9/10/2010 at 9:33:20 AM

    Group Policy was applied from:      ECSG-FS01.hosting.ecsginc.com

    Group Policy slow link threshold:   500 kbps

    Domain Name:                        HOSTING

    Domain Type:                        Windows 2000

    

    Applied Group Policy Objects

    -----------------------------

        N/A



    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        Local Group Policy

            Filtering:  Not Applied (Empty)



        Loopback Policy

            Filtering:  Disabled (GPO)



    The user is a part of the following security groups

    ---------------------------------------------------

        Domain Users

        Everyone

        Remote Desktop Users

        BUILTIN\Users

        REMOTE INTERACTIVE LOGON

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        This Organization

        LOCAL

        VOX Users

        

    The user has the following security privileges

    ----------------------------------------------





    Resultant Set Of Policies for User

    -----------------------------------



        Software Installations

        ----------------------

            N/A



        Logon Scripts

        -------------

            N/A



        Logoff Scripts

        --------------

            N/A



        Public Key Policies

        -------------------

            N/A



        Administrative Templates

        ------------------------

            N/A



        Folder Redirection

        ------------------

            N/A



        Internet Explorer Browser User Interface

        ----------------------------------------

            GPO: N/A

                Large Animated Bitmap Name:      N/A

                Large Custom Logo Bitmap Name:   N/A

                Title BarText:                   N/A

                UserAgent Text:                  N/A

                Delete existing toolbar buttons: No



        Internet Explorer Connection

        ----------------------------

            HTTP Proxy Server:   192.168.0.100:80

            Secure Proxy Server: N/A

            FTP Proxy Server:    N/A

            Gopher Proxy Server: N/A

            Socks Proxy Server:  N/A

            Auto Config Enable:  No

            Enable Proxy:        Yes

            Use same Proxy:      Yes



        Internet Explorer URLs

        ----------------------

            GPO: N/A

                Home page URL:           N/A

                Search page URL:         N/A

                Online support page URL: N/A



        Internet Explorer Security

        --------------------------

            Always Viewable Sites:     N/A

            Password Override Enabled: False



            GPO: N/A

                Import the current Content Ratings Settings:      No

                Import the current Security Zones Settings:       No

                Import current Authenticode Security Information: No

                Enable trusted publisher lockdown:                No



        Internet Explorer Programs

        --------------------------

            GPO: N/A

                Import the current Program Settings: No

Open in new window

RSOP.JPG
0
 

Accepted Solution

by:
ecsginc earned 0 total points
Comment Utility
OK.  I *think* I have finally discovered the GPO problem and implemented a solution.  We'll see.  I think the GPO refresh interval may be what explains the "works now and not two hours from now" phenomenon that I have been experiencing.

It turns out that the issue is the Loopback setting in the server's OU.  I suppose I didn't really understand this the first 900 times I read the Microsoft information regarding applying GPO's to Terminal Servers (http://support.microsoft.com/kb/260370, http://support.microsoft.com/kb/231287/).  The language under "Method 2" in that article seems ambiguous.  It first says that when Loopback Processing is enabled that ONLY  the user configuration from GPO's contained in the computer's OU will be applied.  It then goes on to say that any GPO's contained in the user's OU will also be applied.  I was relying on that second sentence to be true (as long as "merge" was selected) which is why I set up a separate OU with the user settings.  I found an old thread on a different forum related to this issue whereby one of the users reiterated that only the user settings from the GPO's in the server's OU will be applied - period.  So, it was beginning to look like setting up the separate OU for the user's GPO settings was not going to work.

So, I gave it a try by doing the following:

1) I moved my users back to the default built-in "users" OU.
2) I removed the user OU I created (I did not remove the GPO with user settings)
3) I linked the GPO with user settings to the server's OU.

And, presto!  Everything was applied and functioned properly.  The RSOP and gpresults stuff finally looked sane, too.

For completeness in case someone else lands on this question looking for answers - here is the complete sequence of set-up steps I used to get GPO's properly applied to users when logged on to my Terminal Server:

1) Create a new OU (for the Terminal Server)
2) Add a GPO to the new OU (block inheritance, disable user settings) and enable only loopback processing.  Choose "Merge" mode so that user settings can be applied.
3) Add a 2nd GPO to the new OU (block inheritance, disable computer settings) and enable all of the user policies you desire.

if you want these policies to apply to all users that log on to the terminal server then skip to step 9 since the policy is applied to all authenticated uses by default.

4) edit the ACL for the user GPO (properties->security tab) and uncheck the "Allow" for "Apply Group Policy" for the "Authenticated Users" group.
5) create a new security group (for the restricted TS users)
6) edit the ACL for the user GPO and add the new Security Group.  make sure the Apply GPO is allowed for the group.
7) add your target users to the new Security Group
8) repeat 5-7 for each distinct set of policies you want to create.

9) Move the server(s) into the new OU that contains the policies.

Also remember that if you want any administrator groups or other super users to be excluded you may also need to check "deny" for those groups in each GPO's ACL list for the new OU.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now