Link to home
Start Free TrialLog in
Avatar of Clay Foody
Clay Foody

asked on

GPO's not appearing in RSOP if they're attached to an OU

Hello, I have a Windows 2008 server that is a domain controller with terminal services. I'm having issues with Group Policy Objects which I know for a fact are working and are in effect, but not appearing in the RSOP report. Here's how it's configured:

I have an OU named Terminal Service Users. Certain users on the domain are in this OU.

If I attach Group Policies to this OU, they go into effect but they don't appear in RSOP if I run the report, even though I'm running it as one of the OU members. For auditing reasons, these GPOs absolutely MUST appear in the RSOP report. When running the report I choose "This Computer" and then "Another User" and choose one of the users in the Terminal Services OU.

If I attach any of these GPO's to the root of the domain, so it applies to the entire domain, the RSOP report then includes the GPOs.

DNS is installed and running properly on the server. Aside from this issue with RSOP I haven't had any other issues with Active Directory on this server.
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Clay Foody
Clay Foody

ASKER

There are no other computers on the domain, just the one server. I have users in the same OU as the GPO, and I can see the GPOs are successfully applying. For example, because it's a terminal server, I have settings such as restricting access to the control panel, etc and I can see those working when I log in under one of the users in that. OU.

The problem is when I run RSOP under the same user the GPO and the settings in the GPO don't appear in the RSOP report. I have a 2012 server that's doing the same exact thing, so it's obviously something that I'm doing wrong, I just don't know what it is.
What happens if you run the RSOP.msc againts the user/computer within Active Directory Users and Computers? This report should produce the correct info.

Another thing maybe these policies are being applied from another parent policy which is why it looks like they are applying but not from the GPO that you are referring to.

Will.
We figured out what was going on and I can see now what you were trying to do. Settings in the "Computer" section of the group policy will not enforce unless the computer is in the OU, just like the users section if a user is in the OU. Since this all occurs from the domain controller running terminal services, I don't see anyway to get his done other than to enable the "loopback processing" and the delegation settings to avoid issues that would arrive from dragging the server itself into the OU.