Results 1 to 9 of 9
  1. #1
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,825
    Thanks
    19
    Thanked 108 Times in 102 Posts

    Group Policy problem (2003)

    Large screenshot resized by HansV. Please don't post images larger than 640x480

    Being extremely ignorant about Group Policy, I can't see why the situation shown in the attached graphic doesn't give the expected results (sorry about the size).

    I am logging onto the Terminal Server with a (domain) account which is in the "TS locked-down users" security group in AD. But the expected desktop modifications as shown in the policy haven't kicked in.
    Other notes:
    I only want the policy to apply to the accounts in that security group - absolutely no-one else;
    I've set up an OU and moved the Terminal Server (only) into it;
    I haven't enabled GP Loop-Back processing (didn't seem necessary);
    I've run GPUPDATE;
    I haven't updated any of the as-supplied original ADM templates;
    I've blanked out the first part of the DNS domain name in the screen print.

    All Group Policy expertise welcomed! Thanks...
    Attached Images Attached Images
    • File Type: gif x.gif (70.6 KB, 1 views)
    BATcher

    Dear Diary, today the Hundred Years War started ...

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Group Policy problem (2003)

    Try running GPRESULT to see if it shows up anything obvious.

    StuartR

  4. #3
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,825
    Thanks
    19
    Thanked 108 Times in 102 Posts

    Re: Group Policy problem (2003)

    I right clicked on the Group Results line and got results much the same as running GPRESULT.

    I've tried in Administrator on both the file server and the terminal server, and in one of the supposedly locked-down users on the terminal server.

    The only obvious thing is the complete absence of any mention of the TS Lockdown policy!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  5. #4
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Group Policy problem (2003)

    You said that

    > I haven't enabled GP Loop-Back processing (didn't seem necessary);

    It can't do any harm to try enabling this and see if that gets it to run.

    StuartR

  6. #5
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,825
    Thanks
    19
    Thanked 108 Times in 102 Posts

    Re: Group Policy problem (2003)

    OK, will try tomorrow!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  7. #6
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Group Policy problem (2003)

    Have a read of this article. The key point is ...
    <hr>
    Loopback Processing
    This section demonstrates how to use the loopback processing policy to enable a different set of user type Group Policies based on the Computer being logged onto. This policy is useful when you need to have user type policies applied to users of specific computers.
    <hr>

  8. #7
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,825
    Thanks
    19
    Thanked 108 Times in 102 Posts

    Re: Group Policy problem (2003)

    Sadly enabling Loopback processing doesn't seem to make any difference to users when they log on.

    What I can't see is why the TS Lockdown policy is enforced for the Terminal Services OU, the link is enabled and the GPO status is enabled, yet RSOP seems not to know of its existence.

    I seem to be missing something very fundamental about how Group Policies are applied...
    BATcher

    Dear Diary, today the Hundred Years War started ...

  9. #8
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,825
    Thanks
    19
    Thanked 108 Times in 102 Posts

    Re: Group Policy problem (2003)

    Having come across the following in a post somewhere:
    "The user must be a member of the OU that the Policy is applied to. Being a member of a security group that has apply access to the policy is not enough."
    I tried moving one of the relevant accounts into the Terminal Server OU - and now the policy appears to be being applied!

    Is that the way it is supposed to work? I thought being in the TS Locked-down users Security Group should be adequate...

    I hope there are no side-effects...
    BATcher

    Dear Diary, today the Hundred Years War started ...

  10. #9
    5 Star Lounger
    Join Date
    Nov 2004
    Location
    Wilmington, North Carolina, USA
    Posts
    1,196
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Group Policy problem (2003)

    So long as the TS OU doesn't implicitly allow any additional permissions, you should be fine.
    ____________________________
    Jeremy
    "If you spend more on coffee than on IT security, then you will be hacked. What&#39;s more, you deserve to be hacked." -Richard Clarke

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •