[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1992
  • Last Modified:

GPO problems with RDS and server 2012 R2

I have a problem with GPO not applying things the way I think they should be.  The problem I'm having is that when a non-administrator logs into the rd server they get their regular desktop.  If they click on the windows logo they go to the tiled page which includes things like administrative tools, control panel and other things that they shouldn't have access to.

I've gone through the local security policy and turned off everything, that shouldn't be there.  There is also a GPO specifically for remote users.

I've run the GP Modeling wizard and two things have got me wondering.
1.  Get this error AD/Sysvol  version mismatch.  This is supposed to be fixed by a rollup issued Jan 2014, which I have already installed.  I downloaded a hot fix, but that was supposed to have been included in the rollup, so I haven't installed it.

2. It says policy definitions (ADMX files) retrieved from local computer.  I'm wondering if I don't have all of the proper ADMX files.  For one thing the group policy talks about a deny access to control panel setting, which I can't find anywhere.

Should I download the full set of ADMX files from Microsoft?  I recall seeing that somewhere during my research.  Not sure what the next step should be at this point.
0
geekdad1
Asked:
geekdad1
  • 3
  • 2
1 Solution
 
geekdad1Author Commented:
I found and turned off the access to control panel.  However remote desktop still persists in displaying the tiles for control panel and administrative tools on the users desktop.  Not sure where to go next with this.  Need help.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Per this link:  http://social.technet.microsoft.com/Forums/en-US/a9203d90-8d22-43ac-963d-52412ac08414/new-server-2012-r2-getting-ad-sysvol-mismatch?forum=winserverGP

Try this,

To resolve this issue in Windows 8.1 and Windows Server 2012 R2, install update rollup 2919394. For more information about how to obtain this update rollup package, click the following article number to go to the article in the Microsoft Knowledge Base:  
2919394
      (http://support.microsoft.com/kb/2919394/            )    
Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update rollup: February 2014

http://www.microsoft.com/en-us/download/details.aspx?id=41814 Update for Windows Server 2012 R2 (KB2919394)


How to obtain the update



Windows Update


This update is provided as an Optional update from Windows Update. To obtain this update from Windows Update, follow these steps: 1.Swipe in from the right edge of the screen, and then tap Search. Or, if you are using a mouse, point to the lower-right corner of the screen, and then click Search.
2.In the search box, type Windows Update, and then tap or click  Windows Update.
3.Check online for updates, and then select the update for KB2919394 in optional updates.

Microsoft Download Center


You can also obtain the stand-alone update package through the Microsoft Download Center. For more information, go to the Microsoft Download Center
      (http://download.microsoft.com/)    
, and then search for KB2919394.


http://www.microsoft.com/en-us/download/details.aspx?id=41814




Version:
 
Date Published:
 

2919394
 
2/10/2014
 

File name:
 
File size:
 

Windows8.1-KB2919394-x64.msu
 
47.0 MB
 
0
 
geekdad1Author Commented:
Ran the update and it says.  Update for Windows (KB2919394) is already installed on this computer.  So it's not fixed by that update.

However I'm making some progress on this front.  So far a combination of Group Policy and security changes to the \programdata\microsoft\windows\start menu folder have removed a lot of the items that I wanted the users not to have access to.

Out of curiosity I logged in with a test account that I hadn't used since before I did all these GP updates and before I had setup User profile disks.  That account seems to be behaving properly.  Control panel is completely disabled which is what I was looking for.  thanks for your help.
0
 
geekdad1Author Commented:
Not the solution in my case, but it was well thought out and useful.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Glad I could at least help you a little.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now