Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Locking down RDS 2012 - GPO Policy Not Applying - Mixed 2003R2/2012R2 environment

Posted on 2014-12-29
6
Medium Priority
?
1,025 Views
Last Modified: 2015-01-19
Have a mixed Server 2003 R2 Standard (DC) - Server 2012R2 Standard (DC) and 2012R2 Standard Member server running RDS. Server 2003 primary role holder.  

Trying to get a policy to take hold on login to the 2012 RDS server, that is not working. Only policy getting applied is the "Default Domain Policy".  All users are logging in successfully, issue is GPO not getting applied.

Have an AD OU setup for "RDS External" users with the respected users in this OU -  "RDS Lockdown GPO policy" linked to the "RDS External Users" OU - Security filtering set at "TS1" (comp acct) and "RDS External Users" security group. Link Enabled, not Enforced.

It's a fairly simple network, so not any multiple or nested GPO's being applied.

GPRESULT showing policy being applied from my 2012-R2 DC, but only policy being applied is default domain policy. I've done the gpupdate /force multiple times.

Not sure what add'l info may be needed for an assist on this - but hitting the wall on how to get this issue resolved... -thx
0
Comment
Question by:hwtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40522555
What is an example setting that you've set? And...When you run a gpresult, are you including a user or just requesting machine results? A verbose output (or the GPMC GUI) will tell you *why* a policy was not applied, such as security filtering, access denied, or (commonly) no settings existed for a section.
0
 

Author Comment

by:hwtech
ID: 40524581
Sorry for delay. Got pulled off on another issue today and just getting back on this issue.

I ultimately want to remove control panel items, server manager, power shell from taskbar and other associated items. Not having any luck so I've removed the policy and started fresh on a new policy, with trying to get just to get the ServerManager link removed off the taskbar on TS login.

I have configured a GPO at Computer Configuration | Policies | Windows Settings | Security Settings | File System and used the following entry:

%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk (1-GP)

Created a GPO (RDS Lock Down) and tied it to an AD OU of RDS External Users - gpupdate and when I login under a support account (of which the support AD acct is part of) , the only policy that gets processed is the Default Domain Policy (2-GP)

I'm running a gpresult /r which is shown on the 2-GP attachment.

I"ve not had much luck with Server 2012 and GPO's lately, but need to get a handle on this one to get this TS locked down - appreciate any assistance  -
1---GP.PNG
2---GP.PNG
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40524611
Nothing specific to 2012 here. You created a group policy and added a *computer* setting. Then linked it to an OU with *user* objects. Only user policies are applied to user objects thus the GPO is simply not processed. Has been that way since windows 2000.

If you added a user setting. The GPO would at least report as applied instead of only seeing the default domain policy. But to be clear, only the user settings would get applied. The computer settings would be ignored.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:hwtech
ID: 40525355
Thanks on that. Modified the setup but still not grabbing it. Let me state that my experience with GPO's has basically been with mapping drives on login. This is my first run at locking down a term server.  I'm also referencing the article at this link, and have taken it as far as affecting the Loopback mode setting and stopped there.

http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/ 

Just to refresh, I'm still just trying to get the Server Manager to not be pinned to the taskbar on login, which is still showing up. I'm logging in with a non-admin account of *test*, of which the test user is in the *RDS Internal Users* AD security group.

I've created an OU titled *RDS Server* and placed the TS1 computer acct into this OU. Applied the *RDS Lock Down* policy to the *RDS Server* OU - I've set security filtering to *TS1 Comp Acct* - *RDS Internal/External* user groups:

GP1
Here's a shot of the settings currently in effect:

3---GP.PNG
And this is the GPRESULT /R output:

4---GP.PNG
This is where I am at the moment -
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40526033
Since we are talking computer settings, change the scope in gpresults to computer. Or you may find the gp results wizard in the GUI easier to run and understand.
0
 

Author Comment

by:hwtech
ID: 40528450
Appreciate pointing me in the right direction. Found that if running gpresult /r with a limited user acct - you get only the user settings section of the logged in profile. If you run an elevated cmd gpresult, I'm getting the computer settings section, but of the admin profile credentials I used to elevate the cmd  - *not the user acct logged onto the TS* - Found a "gpresult /r /user:xx\xxxx" command format to get around this issue, but keep getting a "no data in RSOP" error message,

But I do see the computer scope and I am seeing the RDS lock down policy being applied. My PS links are still on the taskbar, so guessing that's probably something with the policy rules I've setup.

But while on the subject, Is there a way to be logged in with a limited acct, and get the user/comp policy results of that limited account?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question