Solved

GPO settings from SBS2008 not all applied to 2008 R2 RDP server

Posted on 2011-09-22
17
478 Views
Last Modified: 2012-05-12
Hi,

I have an SBS2008 (Windows 2008 R1) wich is AD
I have a seperate RDP server running 2008 R2.

I have joined the rdp server in the domain, made a seperate OU and applied some GPO's to it.
First GPO does loopback processing
Second GPO makes sure they have a seperate TS profile (Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Set path for TS Roaming Profiles)
Third locks the desktop down.

I think first and third are being applied, but when I logon with a user from AD which has a normal roaming profile set then that profile is applied in stead of making a sperate TS profile.

Could it be that the GPO's for 2008 r2 have changed?
0
Comment
Question by:PlusIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
17 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579395
To check that if it's not applying, please run on that server RSoP.msc to check Resultant Set of Policies or gpresult /z from command-line (I hope that this also works on SBS :) )

Regards,
Krzysztof
0
 
LVL 10

Author Comment

by:PlusIT
ID: 36579463
ok i see that my first is not applied the one that has the loopback processing.  I put the filter on verified users, guess that's wrong?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579504
OK, you have used GPO filtering for Authenticated Users, right? But which mode for loopback processing did you use Replace or Merge?

Authenticated Users are set up by default in GPO, so it's OK. If you chage that or modified to Disallow, that causes problem.

Krzysztof
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 10

Author Comment

by:PlusIT
ID: 36579539
it's said to replace, so no idea why it's not applying
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579549
Maybe some settigs are identical and were replaced. What if you change mode from Replace to Merge?

Krzysztof
0
 
LVL 10

Author Comment

by:PlusIT
ID: 36579562
that won't do anything as i see in gpresult command that the gpo is not applied that all.  It's not in the list.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579569
OK, so please check GPO filtering and please tell me what it's there. And ensure that GPO is linked also to OU where are users located.

Krzysztof
0
 
LVL 10

Author Comment

by:PlusIT
ID: 36579577
as far as i understand the loopback processing should be enabled on the ou where the ts server is in.
as stated in one of my previous messages:

ok i see that my first is not applied the one that has the loopback processing.  I put the filter on verified users, guess that's wrong?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579614
Yes, but you want to apply computer settings to user. Please check that MS article
http://support.microsoft.com/kb/231287

I don't know what you mean by saying "verified users"? Maybe you want to say Authenticated Users? If os, don't worry, to this group belongs authenticated users and computers accounts.

Krzysztof
0
 
LVL 10

Author Comment

by:PlusIT
ID: 36579617
i have to go now i'll have a look into that and get back to you, thx for the feedback allrdy
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579620
You're welcome :)
I'm waiting for other news

Krzysztof
0
 
LVL 10

Author Comment

by:PlusIT
ID: 36579626
quick question: could it be when i only set the ts profile and not the local (roaming) profile, that has been set under the user properties in AD, that this behaviour occurs ?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579658
Might be

Krzysztof
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36592123
Go to the OU where you are applying the GPO & see on the right side the list of GPO's.
Now, using the arrow keys move the Loopback GPO to Position 1.

After this, enable this GPO on the same OU:
Computer Configuration | Policies | Administrative Templates | System | Logon Always wait for the network at computer startup and logon policy

Once you have this placed make it no. 1 as described earlier & put the loopback GPO as no. 2.

Now, to be on the safer side RESTART the computer & then see the effect.

Please post the result afterwards.

A
0
 
LVL 11

Expert Comment

by:Ackles
ID: 36592135
Please see below the MS ways of setting up the Roaming Profile, I see that you have the policy setup in Computer Configuration, however the page suggests Local Policy:

"Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Terminal Services"

See point 2


http://technet.microsoft.com/en-us/library/cc783578(WS.10).aspx

A
0
 
LVL 10

Accepted Solution

by:
PlusIT earned 0 total points
ID: 36813867
hi seems the gpo was conflicting with settings from the user in AD.

This is what you have to do to make sure that roaming profile is not applied to a specific server:

Disabling Roaming User Profiles on Certain Computers
You can prevent computers from receiving roaming profiles by enabling the Only allow local user profiles policy setting, which blocks roaming profiles from being used on a computer. By default, when roaming profile users log on to a computer, the user’s roaming profile is copied to the local computer. If the user has previously logged on to this computer, the roaming profile is merged with the local profile. Similarly, when the user logs off from this computer, the local copy of the profile, including any changes the user made, is merged with the server copy of the profile.

If you enable the Only allow local user profiles policy setting, the following occurs on the affected computer: When the user first logs on, the user receives a new local profile instead of the roaming profile. At logoff, changes are saved to the local profile. All subsequent logons use the local profile.

If you enable both the Prevent Roaming Profile changes from propagating to the server setting and the Only allow local user profiles setting, roaming profiles are disabled for that computer. These policy settings are in the Computer Configuration\Administrative Templates\System\User Profiles node.
0
 
LVL 10

Author Closing Comment

by:PlusIT
ID: 36908393
this was the fix.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question