Avatar of burkem3434
burkem3434Flag for United States of America asked on

GPO Lock Down Terminal Server 2003 (AD is on 2008)

Hi,

We have a 2003 TS with a 2008 running our AD. I created a OU and moved the 2003 server into the OU. I created a Policy for that OU and choose Group policy Loopback with replace mode. It does not seem to be working on the terminal server in that OU. Ran the GPUpdate and even restricted to no results. I have reviewed the policy and it seems I choose all the settings i was looking for. Any ideas or steps I missed? Or does anyone have a link to a step by step process on locking down the TS?

thanks.
Windows Server 2008Windows Server 2003

Avatar of undefined
Last Comment
alicain

8/22/2022 - Mon
SOLUTION
alicain

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ratnesh Mishra

First thing is always to check RSOP on the target server ,if the GP has been implemented or not.
2ndly have you tried this http://www.microsoft.com/en-us/download/details.aspx?id=12117
ASKER
burkem3434

Thank You for the responses, it doesn't look like my "Default TS Policy" is being applied.




Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 9/3/2013 at 12:51:02 PM



RSOP data for <MY DOMAIN>\administrator on <My Terminal Server> : Logging Mode
-----------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   Default-First-Site-Name
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator.<MY DOMAIN>
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=<My Terminal Server>,OU=Terminal Server,DC=<MY DOMAIN>,DC=com
    Last time Group Policy was applied: 9/3/2013 at 12:50:14 PM
    Group Policy was applied from:      <My Domain controller>.<MY DOMAIN>.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        <MY DOMAIN>
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Unknown Reason)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServerMSSQLServerADHelperUser$<My Terminal Server>
        SQLServerMSSQLUser$<My Terminal Server>$SPECTOR360
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        <My Terminal Server>$
        Domain Computers
       
    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            N/A

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
            N/A

            N/A

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
                Value:       0, 0, 4, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description
                Value:       0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled

            GPO: Local Group Policy
                KeyName:     SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags
                Value:       0, 0, 0, 0
                State:       Enabled


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=<MY DOMAIN>,DC=com
    Last time Group Policy was applied: 9/3/2013 at 12:45:31 PM
    Group Policy was applied from:      <My Domain controller>.<MY DOMAIN>.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        <MY DOMAIN>
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        MisysAdmin
        Informix-Admin
        Group Policy Creator Owners
        Domain Admins
        RemoteScan
        Enterprise Admins
        Schema Admins
        Denied RODC Password Replication Group
        Netmon Users
       
    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Force shutdown from a remote system
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects

    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            N/A

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            N/A

        Internet Explorer Connection
        ----------------------------
            N/A

        Internet Explorer URLs
        ----------------------
            N/A

        Internet Explorer Security
        --------------------------
            N/A

        Internet Explorer Programs
        --------------------------
            N/A
alicain

So it looks like the policy is not being applied.

Does GPOTool complete without errors?  Or are there errors on this policy?

Enabling USERENV logging will help to see why not : http://support.microsoft.com/kb/221833 using a value of 10002 for UserEnvDebugLevel
Enabling the logging, then do a GPUpdate /force and look in the log for errors to indicate why.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
burkem3434

No errors....but I did get it working.

Originally I had created a new OU and placed the TS in there. Then I linked the GPO and enabled User Group Policy loopback processing mode. Made my setting choices and enforced the policy (ran Gpupdate and such). I added the User groups under Security Filtering and it still hadn't worked.

Then today I added the computer to the security filtering and it took effect on all users (administrator included). Should I individually add users and remove the groups under the security filtering option in the scope tab?
ASKER CERTIFIED SOLUTION
alicain

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
burkem3434

The tools really helped me confirm the result and refocus me back to the policy settings.

Thank You for your help.
alicain

I'm glad that it was useful and helped you to resolve the issue.

Regards,
Alastair.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.