Link to home
Start Free TrialLog in
Avatar of ecsginc
ecsgincFlag for United States of America

asked on

Why isn't my GPO being applied? (Terminal Server, 2003)

I have scoured the EE knowledgebase and although I have found many postings that seem to be on-point that have accurate and helpful information, I am still at a loss for what is going on with my Terminal Server GPOs...    Let me give as much background and info as possible...

I have a single Terminal Server.  It runs in a remote environment in a domain where there are no "local" users besides administrators.  So, I can freely put domain users and groups in special OUs without worying about the effects of the policies when users log in to different machines in the domain.

I have been trying to lock down the remote desktop.  Here are the steps I have taken:

1) Created a new OU for the terminal server machine.  Added a new GPO with only loopback enabled (have tried both merge and replace but it is currently in merge mode).  Checked the "disable user configuration settings" on the GPO.  Moved the Terminal Server machine into the OU.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

2) Created 2nd new OU for target users of the lockdoen policies.  Added GPO with all of the user configuration settings.   Checked the "disable computer configuration settings" .    Moved the target domain users into it.  Checked the security /ACL for the GPO and "apply" is enabled for authenticated users and remote desktop users.  (have tried with "block inheritance" checked and unchecked)

Initially everything worked great.  User remote desktop sessions were restricted, folders were properly redirected and all  policies appeared to work properly.    After a few hours, the policies do not appear to be in effect.  User can log in and, for example, access the Control Panel.  Nothing changed in the AD settings between "working" and "not working".

I have "jimmied" with it in many ways - tried adding a security group to the user OU and then adding users to it, adding named users to the GPO ACL, etc.  Nothing I do now seems to make a difference.

I have a suspicion that somehow a machine-level (or some other) GPO is somehow overriding the user-level GPO or some such.  However, I am clearly not smart or experienced enough to figure it out on my own.  So, any help would be greatly appreciated.
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

What you can do is logon to the machine with the issues and use rsop.msc from the (run). This will give you a list of all of the policies that are being applied. It will also list the policies that have also failed. Error information tab will give you more details on why the policy failed. You can also refer to the Event Viewer on the local machine to get more information on why the policy failed.

If the policies have not failed and been applied properly (without being overridden) then this is something you are missing in the actual policy editor.

Hope this helps~!
Avatar of ecsginc


I went ahead and started almost from scratch again.  I deleted the GPOs for both OUs.  I then re-created them as described above with the computer settings (pretty much just loopback) in one GPO and the user settings in the other. Each linked to the apprpriate OU.  Dropped users in to the user OU and everything is working for the moment.  Running rsop shows that all of the expected user polices are being applied.

Now, I will wait to see if "time" makes a difference.  When I went to bed lst night everything worked and when I got up this morning it was broken.  If it happens again, I will run RSOP and see what is applied and update with more details.
Some GPO's will fail if there are pending updates requiring a reboot. This is not always the case but it does happen, as i have experienced this many of times when applying GPO's to client machines.
Avatar of ecsginc


good tip.  That is the case on this terminal server.  But...

Logged in again a few minutes later and the GPO was not successfully applied.  Same user, etc.  Checked the RSOP results and the policy is partially applied.  Checked the event log and it appears that the folder redirection failed.  It definitely worked before for the prior sessions and the event log shows each successful folder redirection.

It looks like all policies prior to the folder redirection are applied and all others aren't (makes sense)

The error is for the first folder redirection (Application Data) and appears to be specifically "desktop.ini".  The exact error is attached (server names, etc changed..)

Looking up info on that error now.  Any idea why it would succeed several tiems and then fail - never to succeed again?

"Failed to perform redirection of folder Application Data. The files for the redirected folder could not be moved to the new location. The folder is configured to be redirected to <\\server\share$\Appdata\%USERNAME%\Application Data>.  Files were being moved from <C:\Documents and Settings\user\Application Data> to <\\server\share$\Appdata\user\Application Data>. The following error occurred while copying <C:\Documents and Settings\user\Application Data\desktop.ini> to <\\serv$\Appdata\user\Application Data\desktop.ini>: 
The security descriptor structure is invalid.

Open in new window

Not sure why it has successfully applied in the past. What you can do it move the GPO that is failing high up the priority list from the GPMC.msc console. From here you should be able to do more testing. You also might want to temporarily disable the Folder Redirection policy and do your testing.
Avatar of ecsginc


I think the folder redirection failure is the entire issue.  Once the redirection fails the rest of the policy is ignored (apparently).   So, getting down to the bottom of the folder redirection failure is going to solve the problem, I think.   The baffling thing is that the redirection worked (I can see the resultant data in the redirected location and evidence of the successful redirections from prior logins in the event log) for the first few attempts and then failed.   I am researching the error now which seems to be rooted in NTFS permisions for the share where the data is being redirected.  But, like I said, if the permissions are wrong then it should have failed out-of-the gate, right?  Anyway, I will post an update once I fix the folder redirection.

I really appreciate your assistance so far...
Excellent, gald to hear that. Always here to help!
Avatar of ecsginc


Very frustrating.  Nothing I do now (including disabling folder redirection) gets me past the GPO issues.  No new information (success or error) in event log either way.
Avatar of ecsginc


After messing with it for several more hours, rebooting the terminal server and domain controller a few times (after applying all updates, as suggested) I had made no progress.   However, using "gpresult /v" and user environment debugging I discovered a couple of things:
First, the group policy from the user OU containing the user GPO wasn't referenced at all.  It was basically applying no GPO (not even the default domain user GPO).  Oddly enough, it was using the login script from the GPO in the user OU.  There were also no new entries in the Event Log.  It was as if the GPO was put in some kind of “jail” after the folder redirection error.
Second, the folders were still referring to the old redirected location even though I had changed the location in GPO to redirect to local.  This second issue seems to be commonplace and doesn't always seem to have an easy solution.   In some cases there appears to be some information left in the user's profile that gets loaded in the registry and refers to the old redirection location even after the GPO has been changed/removed.  Since the number of users that were screwed up is pretty limited I didn’t chase that rabbit too far down the hole since I could delete the users and their profiles and start over, if necessary.
Anyway, I am pretty sure the original problem was a permission issue on the share where the user folders were being directed (as documented here :
I corrected the permissions this morning but because of the above two issues it had no positive effect on my situation.  In fact, nothing I did (seemingly) made the users see the GPO.  I moved them in and out, created brand new domain users and put them in the GPO, etc.  In no case was the GPO ever applied even though the logon script in the GPO was executed.  (The logon script had a single entry to map a network drive).
Here's what I ended up doing AFTER ensuring all of the permissions issues were corrected (using the easily located Microsoft advice and best practices found here and here
1) I moved all users and computers back to the default OUs.
2) I deleted and removed the GPOs
3) I deleted the OUs
4) I tracked down the user's redirected folders on the network share and ensured everything made it back to the original profile location (if necessary - results may vary).
5) I completely removed the network share version of the redirected folders.  In some cases I had to assume ownership of the folders before removing them.
6) I recreated the OUs and GPOs as described in the original question.
7) I put the terminal server back in the computer OU and the target users back in the user OU.

Now everything seems to be functioning properly since the folder redirections are no longer failing.
What did I learn today?  I learned that not following the suggested best practices on NFS and Share permissions for redirected folders can yield catastrophic results with regards to the application of user GPO.  And it can be extremely difficult to correct the problems created as a result of the permissions issues.
I also learned how to utilize the policy tools (rsop and gpresult) to at least verify what's being applied.
I hope that posting this information proves helpful for someone else…

I am going to award Spec01 points for taking the time to advise me and putting me on the right troubleshooting path.
Avatar of ecsginc


FYI - I should have waited before claiming success and closing this question.

After a few hours I am right back to square 1.  This time there is lots of info in the Event Viewer reflecting the folder redirection policies from the GPO (Some of the debugging I turned on must have generated these...) The correct GPO is named so I know that on log in the GPO is being referenced.  There are no errors and all of the folder redirection messages say "successful".

Firing up RSOP shows me that virtually nothing out of the policy is present.  (See screenshot)  However, the dummy Internet Proxy settings are definitely taken from the user's GPO so it is being referenced.

I have included the output from "gpresults /v"  which shows that there is no group policy being applied.  The Terminal Server's Loopback Policy is referenced but only as an unapplied GPO (I am guessing this is because the user setting for the loopback GPO were disabled).  There is no reference to the name of the user GPO in the user's OU  (which is "Vox Remote Policy").  When I ran "gpresults" last night in the functioning environment the user's GPO was listed under "Applied Group Policy Objects" and the loopback wasn't referenced at all.

Anyway - back to square 1...  

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/10/2010 at 9:42:02 AM

RSOP data for HOSTING\ruser on ECSG-TS01 : Logging Mode

OS Type:                     Microsoft(R) Windows(R) Server 2003 Standard x64 Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   N/A
Roaming Profile:             \\ecsg-fs01\Vox_User_Data$\Profiles\ruser
Local Profile:               C:\Documents and Settings\ruser
Connected over a slow link?: No

    CN=Reboot User,OU=Vox Remote Users,DC=hosting,DC=ecsginc,DC=com
    Last time Group Policy was applied: 9/10/2010 at 9:33:20 AM
    Group Policy was applied from:
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        HOSTING
    Domain Type:                        Windows 2000
    Applied Group Policy Objects

    The following GPOs were not applied because they were filtered out
        Local Group Policy
            Filtering:  Not Applied (Empty)

        Loopback Policy
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
        Domain Users
        Remote Desktop Users
        NT AUTHORITY\Authenticated Users
        This Organization
        VOX Users
    The user has the following security privileges

    Resultant Set Of Policies for User

        Software Installations

        Logon Scripts

        Logoff Scripts

        Public Key Policies

        Administrative Templates

        Folder Redirection

        Internet Explorer Browser User Interface
            GPO: N/A
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   N/A
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
            HTTP Proxy Server:
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        Yes
            Use same Proxy:      Yes

        Internet Explorer URLs
            GPO: N/A
                Home page URL:           N/A
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: N/A
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       No
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
            GPO: N/A
                Import the current Program Settings: No

Open in new window

Avatar of ecsginc
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial