GPO for Domain Controller Issues - RDP Idle Timeout / Screensaver Lockout
Greetings!
I'm looking for some assistance into application of a Group Policy Object (GPO) on the Domain Controllers OU in a Windows 2008 R2 Domain.
I've created a GPO that will perform the following:
Computer Configuration\Policies\Adm
Set time limit for active but idle Remote Desktop Services sessions - Enabled; Idle session limit: 1 hour
Set time limit for disconnected sessions - Enabled; End a disconnected session: 1 hour
User Configuration\Policies\Adm
Password protect the screen saver - Enabled
Screen saver timeout - Enabled; Number of seconds to wait to enable the screen saver: 900
Currently, I have this GPO linked to the Servers OU in our AD structure and it's working perfectly.
Upon linking it to the Domain Controllers OU, I can see it set with "gpresult /r" from one of the domain controllers (DC), but it doesn't seem to be performing any of the enabled settings. For that DC, I can see the Applied Group Policy Objects listed as for Computer Configuration:
Default Domain Policy
Default Domain Controller Policy
RDP Timeout / Screensaver Timeout - Servers
WSUS-Root
But only Default Domain Policy for User Configuration.
On another DC in the same OU, I can see that ONLY the Default Domain Policy is applying, and only on the User Configuration level.
I know I'm missing something here, but for the life of me, can't figure out what. I'm assuming that all DCs in the Domain Controllers OU would have the same Group Policy settings across the board, but that doesn't look to be the case. Out of the 10 DCs in the environment (global multi-site), it looks like some have the correct GPOs assigned, and the others don't. However, even with correct assignment, they don't look to be performing the enabled work.
Anyway, if anyone out there has any thoughts on this, please let me know. This is a recently inherited environment and I'm going through and working out the kinks, one of which being the GPO application on DCs. Will keep researching. Thank you!
I'm looking for some assistance into application of a Group Policy Object (GPO) on the Domain Controllers OU in a Windows 2008 R2 Domain.
I've created a GPO that will perform the following:
Computer Configuration\Policies\Adm
Set time limit for active but idle Remote Desktop Services sessions - Enabled; Idle session limit: 1 hour
Set time limit for disconnected sessions - Enabled; End a disconnected session: 1 hour
User Configuration\Policies\Adm
Password protect the screen saver - Enabled
Screen saver timeout - Enabled; Number of seconds to wait to enable the screen saver: 900
Currently, I have this GPO linked to the Servers OU in our AD structure and it's working perfectly.
Upon linking it to the Domain Controllers OU, I can see it set with "gpresult /r" from one of the domain controllers (DC), but it doesn't seem to be performing any of the enabled settings. For that DC, I can see the Applied Group Policy Objects listed as for Computer Configuration:
Default Domain Policy
Default Domain Controller Policy
RDP Timeout / Screensaver Timeout - Servers
WSUS-Root
But only Default Domain Policy for User Configuration.
On another DC in the same OU, I can see that ONLY the Default Domain Policy is applying, and only on the User Configuration level.
I know I'm missing something here, but for the life of me, can't figure out what. I'm assuming that all DCs in the Domain Controllers OU would have the same Group Policy settings across the board, but that doesn't look to be the case. Out of the 10 DCs in the environment (global multi-site), it looks like some have the correct GPOs assigned, and the others don't. However, even with correct assignment, they don't look to be performing the enabled work.
Anyway, if anyone out there has any thoughts on this, please let me know. This is a recently inherited environment and I'm going through and working out the kinks, one of which being the GPO application on DCs. Will keep researching. Thank you!
ASKER
Will,
Thank you for the reply. I've enabled the loop back processing in a new GPO assigned to the domain controllers with the same settings as I mentioned. Can see that the setting are applied through gpresult. Just waiting now to see if the idle time enacts and kicks off the connection.
Thank you for the reply. I've enabled the loop back processing in a new GPO assigned to the domain controllers with the same settings as I mentioned. Can see that the setting are applied through gpresult. Just waiting now to see if the idle time enacts and kicks off the connection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you apply a GPO that has both User/Computer Policies to an OU, where you only have the computer objects, the User Policies based on this GPO will not be applied to the User. The policies that will be appled to the user are the policies that are linked to the OU where the user account lives.
When you are working with terminal servers / citrix servers Loop Back Policy Processiing is required to control the users that log into these terminal servers.
Will.