GPO Lock Down Terminal Server 2003 (AD is on 2008)

Hi,

We have a 2003 TS with a 2008 running our AD. I created a OU and moved the 2003 server into the OU. I created a Policy for that OU and choose Group policy Loopback with replace mode. It does not seem to be working on the terminal server in that OU. Ran the GPUpdate and even restricted to no results. I have reviewed the policy and it seems I choose all the settings i was looking for. Any ideas or steps I missed? Or does anyone have a link to a step by step process on locking down the TS?

thanks.
burkem3434Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

alicainCommented:
I would start off with, running GPOTool to confirm that the Group Policy has sucesfully replicated to all DCs in the environment.

Then run a "GPResult /z scope computer > GPResult.txt" in a command Window, either post the results here, or if that's not possble, look for the GPO in the results - is it applying or being denied for some reason?

If the GPO is being applied, but you are not seeing the effects you hoped for, that may be down to the individual settings, so what is it that is not being applied?

Regards,
Alastair.
0
Ratnesh MishraCommented:
First thing is always to check RSOP on the target server ,if the GP has been implemented or not.
2ndly have you tried this http://www.microsoft.com/en-us/download/details.aspx?id=12117
0
burkem3434Author Commented:
Thank You for the responses, it doesn't look like my "Default TS Policy" is being applied.




Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/3/2013 at 12:51:02 PM



RSOP data for <MY DOMAIN>\administrator on <My Terminal Server> : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   Default-First-Site-Name
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator.<MY DOMAIN>
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=<My Terminal Server>,OU=Terminal Server,DC=<MY DOMAIN>,DC=com
    Last time Group Policy was applied: 9/3/2013 at 12:50:14 PM
    Group Policy was applied from:      <My Domain controller>.<MY DOMAIN>.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        <MY DOMAIN>
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServerMSSQLServerADHelperUser$<My Terminal Server>
        SQLServerMSSQLUser$<My Terminal Server>$SPECTOR360
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        <My Terminal Server>$
        Domain Computers
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            N/A

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
                Value:       0, 0, 4, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=<MY DOMAIN>,DC=com
    Last time Group Policy was applied: 9/3/2013 at 12:45:31 PM
    Group Policy was applied from:      <My Domain controller>.<MY DOMAIN>.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        <MY DOMAIN>
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        MisysAdmin
        Informix-Admin
        Group Policy Creator Owners
        Domain Admins
        RemoteScan
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
        Netmon Users
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Force shutdown from a remote system
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

alicainCommented:
So it looks like the policy is not being applied.

Does GPOTool complete without errors?  Or are there errors on this policy?

Enabling USERENV logging will help to see why not : http://support.microsoft.com/kb/221833 using a value of 10002 for UserEnvDebugLevel
Enabling the logging, then do a GPUpdate /force and look in the log for errors to indicate why.
0
burkem3434Author Commented:
No errors....but I did get it working.

Originally I had created a new OU and placed the TS in there. Then I linked the GPO and enabled User Group Policy loopback processing mode. Made my setting choices and enforced the policy (ran Gpupdate and such). I added the User groups under Security Filtering and it still hadn't worked.

Then today I added the computer to the security filtering and it took effect on all users (administrator included). Should I individually add users and remove the groups under the security filtering option in the scope tab?
0
alicainCommented:
Yes, that would explain it...as to what you should filter it by depends on weather you want all users to receive the settings in the policy, as this is a security policy I suspect applying this to say Domain Users.

The user will need to be able to read the policy for when it is reapplied due to the loopback processing that is enabled.

Regards,
Alastair.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
burkem3434Author Commented:
The tools really helped me confirm the result and refocus me back to the policy settings.

Thank You for your help.
0
alicainCommented:
I'm glad that it was useful and helped you to resolve the issue.

Regards,
Alastair.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.