Butler Bros
asked on
can't figure out why a GPO is still appying..
Issue: A policy is being applied to a terminal services session even though it should not be
Environment: Windows 7 Pro workstation running an app served up by Terminal services,
Single domain/forest, logon server= Svr 2008R2
Our domain users(T/S users) are given a policy for FOLDER REDIRECTION, which maps the value for 'DESKTOP' to a folder structure on a particular server in the domain, and I'm wanting to REMOVE that for this ONE user(TEST)
I did this by creating a custom ACL on the relevant GPO in Group Policy Management on the server(set the user to 'denied')
I run "GPRESULT /v" , and I do NOT see the section for Folder Redirection present..
but when I run the T/S application, and perform a "Save-As" function, and look at the locations to save, it is still showing the folder structure location when I drop down to "Desktop".
I cannot understand why the user is still feeling this policy...?
This isn't a matter of GPO persistence, is it?
Thoughts?
Environment: Windows 7 Pro workstation running an app served up by Terminal services,
Single domain/forest, logon server= Svr 2008R2
Our domain users(T/S users) are given a policy for FOLDER REDIRECTION, which maps the value for 'DESKTOP' to a folder structure on a particular server in the domain, and I'm wanting to REMOVE that for this ONE user(TEST)
I did this by creating a custom ACL on the relevant GPO in Group Policy Management on the server(set the user to 'denied')
I run "GPRESULT /v" , and I do NOT see the section for Folder Redirection present..
but when I run the T/S application, and perform a "Save-As" function, and look at the locations to save, it is still showing the folder structure location when I drop down to "Desktop".
I cannot understand why the user is still feeling this policy...?
This isn't a matter of GPO persistence, is it?
Thoughts?
ASKER
This GPO is scoped to the OU where the Terminal Servers reside, and has it's "Security Filtering" set to "Authenticated Users".
I'm running the T/S app as a published app, so the end user does not have access to a T/S desktop.
How would I run a RSOP for the user , against the Terminal Server session so that I'm getting policy assigned to the T/S session?
Have I confused us yet?
Rich
I'm running the T/S app as a published app, so the end user does not have access to a T/S desktop.
How would I run a RSOP for the user , against the Terminal Server session so that I'm getting policy assigned to the T/S session?
Have I confused us yet?
Rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, interesting...
So here's what I found/did:
On the T/S the test user is logged into, I pull up the registry remotely, and looked at the HKEY_USERS hive and I see
all of the users SID's
I navigated to the relevant key, and did see the DESKTOP value in question.
So, I changed it to a different folder.
I then logged out of the users session of T/S
Logged back in, fired up the T/S app, and checked that the value was still set to the different folder, which it was.
When I performed a "save-as" within the T/S app, it still shows the original value, which is a UNC path to a SHARED folder area..
I must be missing something..
So here's what I found/did:
On the T/S the test user is logged into, I pull up the registry remotely, and looked at the HKEY_USERS hive and I see
all of the users SID's
I navigated to the relevant key, and did see the DESKTOP value in question.
So, I changed it to a different folder.
I then logged out of the users session of T/S
Logged back in, fired up the T/S app, and checked that the value was still set to the different folder, which it was.
When I performed a "save-as" within the T/S app, it still shows the original value, which is a UNC path to a SHARED folder area..
I must be missing something..
In the same registry location also check the Shell folders key, you may need to change it there also.
ASKER
Thank you.
I was able to see where the policies are seen in the registry, and also better understand the option to revert if gpo is removed.
I am seeing an error in RSOP for this GPO, but if I need to, I'll open a separate thread to address that.
I was able to see where the policies are seen in the registry, and also better understand the option to revert if gpo is removed.
I am seeing an error in RSOP for this GPO, but if I need to, I'll open a separate thread to address that.
It is assigned to computer accounts of Terminal Servers, but works for users.
This is where you can find the settings:
In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
Locate Administrative Templates, click System, click Group Policy, and then check the Loopback Policy option, for all policies applied to your computer/user.
Use gpresult /h report.html to generate RSOP report.