GPO for Domain Controller Issues - RDP Idle Timeout / Screensaver Lockout


I'm looking for some assistance into application of a Group Policy Object (GPO) on the Domain Controllers OU in a Windows 2008 R2 Domain.

I've created a GPO that will perform the following:

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host:

Set time limit for active but idle Remote Desktop Services sessions - Enabled; Idle session limit:  1 hour
Set time limit for disconnected sessions - Enabled; End a disconnected session:  1 hour

User Configuration\Policies\Administrative Templates\Control Panel\Personalization:

Password protect the screen saver - Enabled
Screen saver timeout - Enabled; Number of seconds to wait to enable the screen saver:  900

Currently, I have this GPO linked to the Servers OU in our AD structure and it's working perfectly.

Upon linking it to the Domain Controllers OU, I can see it set with "gpresult /r" from one of the domain controllers (DC), but it doesn't seem to be performing any of the enabled settings.  For that DC, I can see the Applied Group Policy Objects listed as for Computer Configuration:

Default Domain Policy
Default Domain Controller Policy
RDP Timeout / Screensaver Timeout - Servers

But only Default Domain Policy for User Configuration.

On another DC in the same OU, I can see that ONLY the Default Domain Policy is applying, and only on the User Configuration level.  

I know I'm missing something here, but for the life of me, can't figure out what.  I'm assuming that all DCs in the Domain Controllers OU would have the same Group Policy settings across the board, but that doesn't look to be the case.  Out of the 10 DCs in the environment (global multi-site), it looks like some have the correct GPOs assigned, and the others don't.  However, even with correct assignment, they don't look to be performing the enabled work.

Anyway, if anyone out there has any thoughts on this, please let me know.  This is a recently inherited environment and I'm going through and working out the kinks, one of which being the GPO application on DCs.  Will keep researching.  Thank you!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
The key here is loop back policy processing (replace mode).

If you apply a GPO that has both User/Computer Policies to an OU, where you only have the computer objects, the User Policies based on this GPO will not be applied to the User. The policies that will be appled to the user are the policies that are linked to the OU where the user account lives.

When you are working with terminal servers / citrix servers Loop Back Policy Processiing is required to control the users that log into these terminal servers.

JKowalkeAuthor Commented:

Thank you for the reply.  I've enabled the loop back processing in a new GPO assigned to the domain controllers with the same settings as I mentioned.  Can see that the setting are applied through gpresult.  Just waiting now to see if the idle time enacts and kicks off the connection.
Will SzymkowskiSenior Solution ArchitectCommented:
Ok sounds good. Another thing to make sure is that you are using Authenticated users for your security filtering. This will authenticate both computers and users.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.