Active Directory
--
Questions
--
Followers
Top Experts
GPO for Domain Controller Issues - RDP Idle Timeout / Screensaver Lockout
Greetings!
I'm looking for some assistance into application of a Group Policy Object (GPO) on the Domain Controllers OU in a Windows 2008 R2 Domain.
I've created a GPO that will perform the following:
Computer Configuration\Policies\Adm
Set time limit for active but idle Remote Desktop Services sessions - Enabled; Idle session limit: 1 hour
Set time limit for disconnected sessions - Enabled; End a disconnected session: 1 hour
User Configuration\Policies\Adm
Password protect the screen saver - Enabled
Screen saver timeout - Enabled; Number of seconds to wait to enable the screen saver: 900
Currently, I have this GPO linked to the Servers OU in our AD structure and it's working perfectly.
Upon linking it to the Domain Controllers OU, I can see it set with "gpresult /r" from one of the domain controllers (DC), but it doesn't seem to be performing any of the enabled settings. For that DC, I can see the Applied Group Policy Objects listed as for Computer Configuration:
Default Domain Policy
Default Domain Controller Policy
RDP Timeout / Screensaver Timeout - Servers
WSUS-Root
But only Default Domain Policy for User Configuration.
On another DC in the same OU, I can see that ONLY the Default Domain Policy is applying, and only on the User Configuration level.
I know I'm missing something here, but for the life of me, can't figure out what. I'm assuming that all DCs in the Domain Controllers OU would have the same Group Policy settings across the board, but that doesn't look to be the case. Out of the 10 DCs in the environment (global multi-site), it looks like some have the correct GPOs assigned, and the others don't. However, even with correct assignment, they don't look to be performing the enabled work.
Anyway, if anyone out there has any thoughts on this, please let me know. This is a recently inherited environment and I'm going through and working out the kinks, one of which being the GPO application on DCs. Will keep researching. Thank you!
I'm looking for some assistance into application of a Group Policy Object (GPO) on the Domain Controllers OU in a Windows 2008 R2 Domain.
I've created a GPO that will perform the following:
Computer Configuration\Policies\Adm
Set time limit for active but idle Remote Desktop Services sessions - Enabled; Idle session limit: 1 hour
Set time limit for disconnected sessions - Enabled; End a disconnected session: 1 hour
User Configuration\Policies\Adm
Password protect the screen saver - Enabled
Screen saver timeout - Enabled; Number of seconds to wait to enable the screen saver: 900
Currently, I have this GPO linked to the Servers OU in our AD structure and it's working perfectly.
Upon linking it to the Domain Controllers OU, I can see it set with "gpresult /r" from one of the domain controllers (DC), but it doesn't seem to be performing any of the enabled settings. For that DC, I can see the Applied Group Policy Objects listed as for Computer Configuration:
Default Domain Policy
Default Domain Controller Policy
RDP Timeout / Screensaver Timeout - Servers
WSUS-Root
But only Default Domain Policy for User Configuration.
On another DC in the same OU, I can see that ONLY the Default Domain Policy is applying, and only on the User Configuration level.
I know I'm missing something here, but for the life of me, can't figure out what. I'm assuming that all DCs in the Domain Controllers OU would have the same Group Policy settings across the board, but that doesn't look to be the case. Out of the 10 DCs in the environment (global multi-site), it looks like some have the correct GPOs assigned, and the others don't. However, even with correct assignment, they don't look to be performing the enabled work.
Anyway, if anyone out there has any thoughts on this, please let me know. This is a recently inherited environment and I'm going through and working out the kinks, one of which being the GPO application on DCs. Will keep researching. Thank you!
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
The key here is loop back policy processing (replace mode).
If you apply a GPO that has both User/Computer Policies to an OU, where you only have the computer objects, the User Policies based on this GPO will not be applied to the User. The policies that will be appled to the user are the policies that are linked to the OU where the user account lives.
When you are working with terminal servers / citrix servers Loop Back Policy Processiing is required to control the users that log into these terminal servers.
Will.
If you apply a GPO that has both User/Computer Policies to an OU, where you only have the computer objects, the User Policies based on this GPO will not be applied to the User. The policies that will be appled to the user are the policies that are linked to the OU where the user account lives.
When you are working with terminal servers / citrix servers Loop Back Policy Processiing is required to control the users that log into these terminal servers.
Will.
Will,
Thank you for the reply. I've enabled the loop back processing in a new GPO assigned to the domain controllers with the same settings as I mentioned. Can see that the setting are applied through gpresult. Just waiting now to see if the idle time enacts and kicks off the connection.
Thank you for the reply. I've enabled the loop back processing in a new GPO assigned to the domain controllers with the same settings as I mentioned. Can see that the setting are applied through gpresult. Just waiting now to see if the idle time enacts and kicks off the connection.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.