burkem3434
asked on
GPO Lock Down Terminal Server 2003 (AD is on 2008)
Hi,
We have a 2003 TS with a 2008 running our AD. I created a OU and moved the 2003 server into the OU. I created a Policy for that OU and choose Group policy Loopback with replace mode. It does not seem to be working on the terminal server in that OU. Ran the GPUpdate and even restricted to no results. I have reviewed the policy and it seems I choose all the settings i was looking for. Any ideas or steps I missed? Or does anyone have a link to a step by step process on locking down the TS?
thanks.
We have a 2003 TS with a 2008 running our AD. I created a OU and moved the 2003 server into the OU. I created a Policy for that OU and choose Group policy Loopback with replace mode. It does not seem to be working on the terminal server in that OU. Ran the GPUpdate and even restricted to no results. I have reviewed the policy and it seems I choose all the settings i was looking for. Any ideas or steps I missed? Or does anyone have a link to a step by step process on locking down the TS?
thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank You for the responses, it doesn't look like my "Default TS Policy" is being applied.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 9/3/2013 at 12:51:02 PM
RSOP data for <MY DOMAIN>\administrator on <My Terminal Server> : Logging Mode
-------------------------- ---------- ---------- ---------- ---------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator.<MY DOMAIN>
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<My Terminal Server>,OU=Terminal Server,DC=<MY DOMAIN>,DC=com
Last time Group Policy was applied: 9/3/2013 at 12:50:14 PM
Group Policy was applied from: <My Domain controller>.<MY DOMAIN>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <MY DOMAIN>
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Local Group Policy
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
The computer is a part of the following security groups
-------------------------- ---------- ---------- ---------
BUILTIN\Administrators
Everyone
SQLServerMSSQLServerADHelp erUser$<My Terminal Server>
SQLServerMSSQLUser$<My Terminal Server>$SPECTOR360
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
<My Terminal Server>$
Domain Computers
Resultant Set Of Policies for Computer
-------------------------- ---------- ---
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
N/A
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{8868 b733-4b3a- 48f8-9136- aa6d05d4fc 83}\SaferF lags
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{8868 b733-4b3a- 48f8-9136- aa6d05d4fc 83}\Descri ption
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{7272 edfb-af9f- 4ddf-b65b- e4282f2dee fc}\Descri ption
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Microsoft\Windows \CurrentVe rsion\Poli cies\Explo rer\NoActi veDesktop
Value: 1, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{d2c3 4ab2-529a- 46b2-b293- fc853fce72 ea}\SaferF lags
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\DefaultL evel
Value: 0, 0, 4, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\Transpar entEnabled
Value: 1, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{d2c3 4ab2-529a- 46b2-b293- fc853fce72 ea}\Descri ption
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{191c d7fa-f240- 4a17-8986- 94d480a6c8 ca}\Descri ption
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\PolicySc ope
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{7272 edfb-af9f- 4ddf-b65b- e4282f2dee fc}\SaferF lags
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof t\Windows\ Safer\Code Identifier s\262144\P aths\{191c d7fa-f240- 4a17-8986- 94d480a6c8 ca}\SaferF lags
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
--------------
CN=Administrator,CN=Users, DC=<MY DOMAIN>,DC=com
Last time Group Policy was applied: 9/3/2013 at 12:45:31 PM
Group Policy was applied from: <My Domain controller>.<MY DOMAIN>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <MY DOMAIN>
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
N/A
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
MisysAdmin
Informix-Admin
Group Policy Creator Owners
Domain Admins
RemoteScan
Enterprise Admins
Schema Admins
Denied RODC Password Replication Group
Netmon Users
The user has the following security privileges
-------------------------- ---------- ----------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Force shutdown from a remote system
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Resultant Set Of Policies for User
-------------------------- ---------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
-------------------------- ---------- ----
N/A
Internet Explorer Connection
-------------------------- --
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 9/3/2013 at 12:51:02 PM
RSOP data for <MY DOMAIN>\administrator on <My Terminal Server> : Logging Mode
--------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator.<MY
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=<My Terminal Server>,OU=Terminal Server,DC=<MY DOMAIN>,DC=com
Last time Group Policy was applied: 9/3/2013 at 12:50:14 PM
Group Policy was applied from: <My Domain controller>.<MY DOMAIN>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <MY DOMAIN>
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Local Group Policy
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Not Applied (Unknown Reason)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
SQLServerMSSQLServerADHelp
SQLServerMSSQLUser$<My Terminal Server>$SPECTOR360
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
<My Terminal Server>$
Domain Computers
Resultant Set Of Policies for Computer
--------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
N/A
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Microsoft\Windows
Value: 1, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 4, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 1, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
KeyName: SOFTWARE\Policies\Microsof
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
--------------
CN=Administrator,CN=Users,
Last time Group Policy was applied: 9/3/2013 at 12:45:31 PM
Group Policy was applied from: <My Domain controller>.<MY DOMAIN>.com
Group Policy slow link threshold: 500 kbps
Domain Name: <MY DOMAIN>
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
N/A
The following GPOs were not applied because they were filtered out
--------------------------
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
MisysAdmin
Informix-Admin
Group Policy Creator Owners
Domain Admins
RemoteScan
Enterprise Admins
Schema Admins
Denied RODC Password Replication Group
Netmon Users
The user has the following security privileges
--------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Force shutdown from a remote system
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Resultant Set Of Policies for User
--------------------------
Software Installations
----------------------
N/A
Logon Scripts
-------------
N/A
Logoff Scripts
--------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
N/A
Folder Redirection
------------------
N/A
Internet Explorer Browser User Interface
--------------------------
N/A
Internet Explorer Connection
--------------------------
N/A
Internet Explorer URLs
----------------------
N/A
Internet Explorer Security
--------------------------
N/A
Internet Explorer Programs
--------------------------
N/A
So it looks like the policy is not being applied.
Does GPOTool complete without errors? Or are there errors on this policy?
Enabling USERENV logging will help to see why not : http://support.microsoft.com/kb/221833 using a value of 10002 for UserEnvDebugLevel
Enabling the logging, then do a GPUpdate /force and look in the log for errors to indicate why.
Does GPOTool complete without errors? Or are there errors on this policy?
Enabling USERENV logging will help to see why not : http://support.microsoft.com/kb/221833 using a value of 10002 for UserEnvDebugLevel
Enabling the logging, then do a GPUpdate /force and look in the log for errors to indicate why.
ASKER
No errors....but I did get it working.
Originally I had created a new OU and placed the TS in there. Then I linked the GPO and enabled User Group Policy loopback processing mode. Made my setting choices and enforced the policy (ran Gpupdate and such). I added the User groups under Security Filtering and it still hadn't worked.
Then today I added the computer to the security filtering and it took effect on all users (administrator included). Should I individually add users and remove the groups under the security filtering option in the scope tab?
Originally I had created a new OU and placed the TS in there. Then I linked the GPO and enabled User Group Policy loopback processing mode. Made my setting choices and enforced the policy (ran Gpupdate and such). I added the User groups under Security Filtering and it still hadn't worked.
Then today I added the computer to the security filtering and it took effect on all users (administrator included). Should I individually add users and remove the groups under the security filtering option in the scope tab?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The tools really helped me confirm the result and refocus me back to the policy settings.
Thank You for your help.
Thank You for your help.
I'm glad that it was useful and helped you to resolve the issue.
Regards,
Alastair.
Regards,
Alastair.
2ndly have you tried this http://www.microsoft.com/en-us/download/details.aspx?id=12117