Link to home
Start Free TrialLog in
Avatar of Doug Poulin
Doug PoulinFlag for Canada

asked on

User GPO changes are not being propagated to existing user accounts

We have a server farm running terminal services on Windows server 2012 systems.   We use user profile disks.

The problem we have is, when we change a setting in the user section of the GPO, it only gets applied to new user accounts, not existing ones.  I'm sure stuff is being cached, but I don't see how to force a reset of this information.

Blowing away the user profile disk solves the problem, but we can't do that for 400 users, because each one has some customized icons on their desktop, which would have to be re-configured.

I've got loop back processing enabled and the farm computers are linked to the remote desktop users group policy.  Not sure how to move forward with this.
Avatar of REIT
REIT

Could you tell us what your GPO is doing? So you have the policy applying to the RDS Servers rather than users because you have loop back enabled?
Avatar of Doug Poulin

ASKER

Here's a sample.  We had enabled User Configuration / Policies / Administrative templates / Windows Components / File Explorer / Turn on Classic Shell.  We decided that not configuring that option would work better for our users.  So we set the setting back to not configured.  Run gpupdate /force on both farm servers.  Then log on as an existing user.  The desktop still behaves the same.

We ran into the same issue when we decided to change the desktop background.  The new background only existed for accounts created after the change, not any that already existed.

The users belong to an OU especially for remote desktop.  There is a group policy that has specific settings for the user configuration and the computer configuration.  This GPO is linked to both the OU for the users and the OU for the server farm.
Have you save entire user profile in UPD or part of user profile?

Select "Store all user data and settings on user profile disk"

Also GPO only need to be set on OU containing RD Session Hosts
Also enable loopback processing mode in replace mode on this GPO only
setting it to not configured does not change the setting back what it does is ignore the setting you need to set it to disabled later on you can configure it to to not configured
Store all user data and settings was already set.  Can you explain something regarding which OU to apply a GPO to?  Each GPO has a computer section and a users section.  If you apply a GPO to a computer object (like a farm server) does it then apply the user section to anyone logging into the computer?  That doesn't seem right.  Same if you apply a GPO to a user account, I would think only the user section of the GPO would apply to that user regardless of which machine they logged into.  Unless I'm wrong the GPO would have to be applied to an OU that has only the farm computers and the OU containing the remote desktop users.

I set the gpo to disabled.  Then ran gpupdate /force on the two farm servers.  Logged in to an existing account and it's still the same as it was.  Any other suggestions?
I confirmed that deleting the user profile disk gets the GPO applied properly.  However that doesn't help me much in this situation.
whatever your guess is right, if you apply user restrictions GPO to OU containing farm servers, it will apply to all users who would logon to those servers thru RDP and loopback processing will enforce this behavior.

From RDS user RDP session, Can you please run gpresult /h C:\usergpo.htm to check what settings are applied on user and post her to further troubleshoot
Here is the output from the gpresult.  It has the right GPO's applied, and it says that the classic shell is disabled.  I ran the same thing with the user account that I removed the UPD from to see if I could discern any difference.  For all intents and purpose they are the same.  I'll post the diff results right after this.
bad.htm
Here are the diff results (using textpad) I've removed the unnecessary lines.  test71 (left) is the working file, test 73 (right) is the non working file.

Compare: (<)C:\Users\Dougp\Documents\good.htm (201861 bytes)
   with: (>)C:\Users\Dougp\Documents\bad.htm (201863 bytes)

5c5
< <title>PAR\test71</title>
---
> <title>PAR\test73</title>
< <div class="he2i"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;">During last <strong>user policy</strong> refresh on 2/2/2015 11:08:50 AM</td></tr><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;"><v:group class="vmlimage" style="width:15px;height:15px;vertical-align:middle" coordsize="100,100" alt="Warning">
---
> <div class="he2i"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;">During last <strong>user policy</strong> refresh on 2/2/2015 11:03:55 AM</td></tr><tr><td  style="width: 5%;">&nbsp;</td><td style="width: 95%;"><table class="info3" style="width: 95%" cellpadding="0" cellspacing="0"><tr><td  style="width: 5%;"><v:group class="vmlimage" style="width:15px;height:15px;vertical-align:middle" coordsize="100,100" alt="Warning">
< <tr><td>worksafebc.com</td><td>2</td><td>Remote Users v2</td></tr>
< <tr><td>health.gov.bc.ca</td><td>2</td><td>Remote Users v2</td></tr>
---
> <tr><td>health.gov.bc.ca</td><td>2</td><td>Remote Users v2</td></tr>
> <tr><td>worksafebc.com</td><td>2</td><td>Remote Users v2</td></tr>
1597,1598c1597,1598
< </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_USERS\.DEFAULT\Control Panel\Colors, Value name: Background)</span><a class="expando" href="#"></a></div>
< <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">Background</span><a class="expando" href="#"></a></div>
---
> </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca, Value name: *)</span><a class="expando" href="#"></a></div>
> <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">*</span><a class="expando" href="#"></a></div>
1608,1614c1608,1614
< <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_USERS</td></tr>
< <tr><td>Key path</td><td>.DEFAULT\Control Panel\Colors</td></tr>
< <tr><td>Value name</td><td>Background</td></tr>
< <tr><td>Value type</td><td>REG_SZ</td></tr>
< <tr><td>Value data</td><td>0 0 0</td></tr>
< </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca, Value name: *)</span><a class="expando" href="#"></a></div>
< <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">*</span><a class="expando" href="#"></a></div>
---
> <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_CURRENT_USER</td></tr>
> <tr><td>Key path</td><td>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca</td></tr>
> <tr><td>Value name</td><td>*</td></tr>
> <tr><td>Value type</td><td>REG_DWORD</td></tr>
> <tr><td>Value data</td><td>0x2 (2)</td></tr>
> </table></div></div></div></div><div class="he3"><span class="sectionTitle" tabindex="0">Registry item (Key path: HKEY_USERS\.DEFAULT\Control Panel\Colors, Value name: Background)</span><a class="expando" href="#"></a></div>
> <div class="container"><div class="he4i">The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.</div><div class="he4"><span class="sectionTitle" tabindex="0">Background</span><a class="expando" href="#"></a></div>
1624,1628c1624,1628
< <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_CURRENT_USER</td></tr>
< <tr><td>Key path</td><td>Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gov.bc.ca</td></tr>
< <tr><td>Value name</td><td>*</td></tr>
< <tr><td>Value type</td><td>REG_DWORD</td></tr>
< <tr><td>Value data</td><td>0x2 (2)</td></tr>
---
> <b>Properties</b><table class="subtable" cellpadding="0" cellspacing="0"><tr><td>Hive</td><td>HKEY_USERS</td></tr>
> <tr><td>Key path</td><td>.DEFAULT\Control Panel\Colors</td></tr>
> <tr><td>Value name</td><td>Background</td></tr>
> <tr><td>Value type</td><td>REG_SZ</td></tr>
> <tr><td>Value data</td><td>0 0 0</td></tr>
To get difference:
Delete existing UPD for userx
set GPO with specific option and apply it to userx with new UPD
export gpresult output in htm format

Then change any settings or add any new settings
again logon with userx and export output in htm format

This will give you clear picture hopefully
That's exactly what I did.  I'll post the working gpresult now, and you can check for any other differences as well.  Maybe you'll spot something that I missed.
good.htm
Here's another clue.  Our internal staff are in a different OU from our remote desktop clients.  When I made the last change her desktop changed over to using a double click.  However not the external clients.  So I'm wondering about either inheritance, security filtering or possibly the way I've got the OU's set up.

It looks right to me but something is still wrong.  Here's what I have.
User generated imageUser generated image
The GPO I'm making changes to is Remote Users v2.
As you can see it's attached to farm computers and Restricted Access Accounts (RAA).
All of our outside clients login accounts are in the RAA OU.
All of the remote desktop farm servers are in the "farm computers" OU.  I don't know if this has any bearing but we keep all of the User Profile Disks on another server that is not part of this group.

We have a group set up in the RAA Active directory which contains all of the external client accounts. It's called "Remote PAR Users".  The farm computers belong to a group as well called "par farm".

Here is the scope properties of the GPO.
User generated image
The security filtering includes the appropriate groups, so it looks right.  I'll continue testing, and see what else I can figure out.
Thanks for sharing detailed info
You made GPO application complex

U need to unlink default domain policy and remote user V2 GPOs from RAA OU for TWO reasons.
remote user V2 policy should be latched only to OU containing farm computers
Also default domain policy policy is already linked to domain, so no need to latch it again to RAA OU

Also there is no point in making parfarm security group as "Farm Computers" OU is already there and I believe RDS servers are kept in this OU, you already have authenticated users group defined on security filtering tab for remote users V2 GPO, so no need to specify separate security group for farm computers under security filtering.
When you apply GPO to this OU, it will by default apply to farm servers

Lastly just ensure that Group Policy loopback processing is enabled in replace mode with remote users V2 GPO

If you made these changes as suggested, just run gpupdate /force on domain controllers, on restricted user workstations as well and check if it works
May be you can reboot farm server once
Here's what I've got setup now.  But it's still not right.
gpo1.PNG
I've got the GPO remote users v2 linked to the farm computers OU.  I've set the security filtering to enable it only for the Remote PAR Users.  However when I log on as a user, and run gpresult, it says that remote users V2 has not been applied.

Did I misunderstand what you suggested?
I have loopback processing set to replace mode.  None of the user settings now apply.  I've linked the remote users v2 back to the RAA OU, and now at least all of the user settings are being applied.  

I can't get the double click to work for existing  accounts.  Only new accounts.
I have seen screen shot
U have added policy to correct OU, however wrong group on security filtering


Replace remote par users with authenticated users

Note that GPO remote users V2 should apply to farm servers OU and when you set authenticated users there, policy will be applied to farm servers and all users who would logging on farm servers would be affected
No need to apply GPO to Remote Par Users group explicitly, your GPO loop back processing will take care of that

The Idea would be, policy would be applied to Farm servers OU with loop back processing enabled so that it will automatically applied to all users who would logon to farm servers since policy contains user settings.

If you apply this policy to OU containing users, it will be applied to those users no matter on which server they logon in entire domain which is not the requirement.
Policy should get enforced only if users logon to Farm servers
We have other users, (admin and office staff) who aren't subject to these restrictions.  So although authenticated users would work, the remote par users group is a better choice for us.  Also since these users only ever log onto the farm computers, it's not an issue if the policy is always applied to them.

What I don't understand is why when I applied the GPO to only the farm computers and turned on  loopback processing and set the security filtering on, the GPO was not applied? Could it be because the remote PAR users group is in a custom OU?

I appreciate your patience and help with this.
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks.  That clears things up.  The original problem still remains, but at this point I think that from the look of things some settings are only set once and no matter how hard you'd like to, you won't be able to change them without deleting the user profile disk.  For another example, try changing the desktop wallpaper through GPO.  That never changes as well.
OK
Please try below wrt original problem:

The UPD behavior is to get disconnected when user logged of the RDS session
When user logged back again, it simply attach UPD again, so have you tried Gpupdate /force on user session to see if any GPO changes are getting reflected?

If that works, you can set gpupdate OR gpupdate /force in .bat file and apply this GPO to user configuration \Windows Settings\ scripts \ logon in same GPO and check
No luck.  logged in, ran gpoupdate /force, logged off, logged back in again.  No change.  It was a good idea though.  The user profile disk has registry settings saved in it.  I wonder if the gpo settings get applied to the registry upon login and then later the settings in the UPD get applied.  That would cause the UPD settings to take precedence.