Solved

Locking down RDS 2012 - GPO Policy Not Applying - Mixed 2003R2/2012R2 environment

Posted on 2014-12-29
6
736 Views
Last Modified: 2015-01-19
Have a mixed Server 2003 R2 Standard (DC) - Server 2012R2 Standard (DC) and 2012R2 Standard Member server running RDS. Server 2003 primary role holder.  

Trying to get a policy to take hold on login to the 2012 RDS server, that is not working. Only policy getting applied is the "Default Domain Policy".  All users are logging in successfully, issue is GPO not getting applied.

Have an AD OU setup for "RDS External" users with the respected users in this OU -  "RDS Lockdown GPO policy" linked to the "RDS External Users" OU - Security filtering set at "TS1" (comp acct) and "RDS External Users" security group. Link Enabled, not Enforced.

It's a fairly simple network, so not any multiple or nested GPO's being applied.

GPRESULT showing policy being applied from my 2012-R2 DC, but only policy being applied is default domain policy. I've done the gpupdate /force multiple times.

Not sure what add'l info may be needed for an assist on this - but hitting the wall on how to get this issue resolved... -thx
0
Comment
Question by:hwtech
  • 3
  • 3
6 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
What is an example setting that you've set? And...When you run a gpresult, are you including a user or just requesting machine results? A verbose output (or the GPMC GUI) will tell you *why* a policy was not applied, such as security filtering, access denied, or (commonly) no settings existed for a section.
0
 

Author Comment

by:hwtech
Comment Utility
Sorry for delay. Got pulled off on another issue today and just getting back on this issue.

I ultimately want to remove control panel items, server manager, power shell from taskbar and other associated items. Not having any luck so I've removed the policy and started fresh on a new policy, with trying to get just to get the ServerManager link removed off the taskbar on TS login.

I have configured a GPO at Computer Configuration | Policies | Windows Settings | Security Settings | File System and used the following entry:

%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk (1-GP)

Created a GPO (RDS Lock Down) and tied it to an AD OU of RDS External Users - gpupdate and when I login under a support account (of which the support AD acct is part of) , the only policy that gets processed is the Default Domain Policy (2-GP)

I'm running a gpresult /r which is shown on the 2-GP attachment.

I"ve not had much luck with Server 2012 and GPO's lately, but need to get a handle on this one to get this TS locked down - appreciate any assistance  -
1---GP.PNG
2---GP.PNG
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
Nothing specific to 2012 here. You created a group policy and added a *computer* setting. Then linked it to an OU with *user* objects. Only user policies are applied to user objects thus the GPO is simply not processed. Has been that way since windows 2000.

If you added a user setting. The GPO would at least report as applied instead of only seeing the default domain policy. But to be clear, only the user settings would get applied. The computer settings would be ignored.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:hwtech
Comment Utility
Thanks on that. Modified the setup but still not grabbing it. Let me state that my experience with GPO's has basically been with mapping drives on login. This is my first run at locking down a term server.  I'm also referencing the article at this link, and have taken it as far as affecting the Loopback mode setting and stopped there.

http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/

Just to refresh, I'm still just trying to get the Server Manager to not be pinned to the taskbar on login, which is still showing up. I'm logging in with a non-admin account of *test*, of which the test user is in the *RDS Internal Users* AD security group.

I've created an OU titled *RDS Server* and placed the TS1 computer acct into this OU. Applied the *RDS Lock Down* policy to the *RDS Server* OU - I've set security filtering to *TS1 Comp Acct* - *RDS Internal/External* user groups:

GP1
Here's a shot of the settings currently in effect:

3---GP.PNG
And this is the GPRESULT /R output:

4---GP.PNG
This is where I am at the moment -
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Since we are talking computer settings, change the scope in gpresults to computer. Or you may find the gp results wizard in the GUI easier to run and understand.
0
 

Author Comment

by:hwtech
Comment Utility
Appreciate pointing me in the right direction. Found that if running gpresult /r with a limited user acct - you get only the user settings section of the logged in profile. If you run an elevated cmd gpresult, I'm getting the computer settings section, but of the admin profile credentials I used to elevate the cmd  - *not the user acct logged onto the TS* - Found a "gpresult /r /user:xx\xxxx" command format to get around this issue, but keep getting a "no data in RSOP" error message,

But I do see the computer scope and I am seeing the RDS lock down policy being applied. My PS links are still on the taskbar, so guessing that's probably something with the policy rules I've setup.

But while on the subject, Is there a way to be logged in with a limited acct, and get the user/comp policy results of that limited account?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now