Group Policy Not Applying on Terminal Server Logins 1

[frogman23]

Ok, I'm a little confused and I could some guidance from an expert. I have deployed a Terminal Server and put it in its own OU (we'll call the OU TSSERVER for clarity). I have installed all necessary software and can log into the machine and run the apps using Terminal Services. I also created a test user acount and put it in a different OU (we'll call this OU TSTEST). I have created a group policy locking down various things (ok more like the whole server because if anyone will screw something up a user can ) and applied it to the "TSSERVER" OU. Since domain admins (like myself) will be using TS to maintain the server i only applied the restrictive policy to the TS_Users OU, which my TSTEST is a member of (trying to mimic our realworld senario). I have also enabled loopback processing using both the merge and replace options. I've also given plenty of time to make sure the replication has occured (wanted to make sure that wasn't a problem). I also wanted to let it be known that i've never deployed Terminal Services before. I've only maintained applications on an existing TS deployment so i very well could have missed something very simple. If i've left out some information that you need to help me fix the problem just let me know and i'll take care of that. Thanks in advance.

 

[w33mhz]

So what exactly is you problem none of the policies have been appling and your test user account can go in and mess stuff up that you have restricted, or that even with an admin account you are restricted? Have you tried a gpupdate /force (if 2003) or secedit /refreshpolicy /enforce

 

[frogman23]

Sorry i assumed some information. None of the policies have been applied to the test user. They have full acess to things that have been explicitly restricted (like all the local drives and things like the control panel). I have done the gpupdate /force and that didn't work either.

 

[frogman23]

An update. I created 2 policies, one for the computer configuration and one for the user configuration in the TSSERVER OU. I enabled the only the computer config on the computer config policy (obviously) and i only enabled the user config on the user config policy (again obviously). I then did a gpupdate /force with no luck. I don't see why it would have worked differently i just found a document on MS site and thought i'd give it a shot. Again, the restrictions are not being applied to my test account and the Admin accounts have full access to the machine (as it should be).

 

[Dublin73]

You may find this useful...

http://support.microsoft.com/kb/260370

Keep things simple. You only need one GPO applied to your Terminal Servers OU. The computer section of this GPO will apply to the terminal servers and the User section of this GPO will also apply to any users that log into the terminal servers.

On your terminal server, typing in gpresult from a command prompt will let you know whether or not the GPO has been applied.

In the permissions of the GPO, for the users that you want the GPO applying to, they need "Read" and "Apply Group Policy" permissions on the GPO

 

[frogman23]

Thanks for the suggestions. I used that KB article when i was initially setting up this server. I consolidated the 2 policies back into one (didn't make sense to make 2 policies to begin with but i didn't hurt to try). THe group that will have the GPO applied have been given the Read and Apply permissions. When I run the gpresult when i'm logged in it doesn't show the TS GPO period. I logged in to the server with the test user account and tried to run the gpresult and it told me that there was no RSOP data but i'm assuming that it would have looked identical to what i saw when i was logged into the server. I rebooted the machine hoping that would help force the policy to apply, still nothing. I'm running out of ideas quickly. I just had something hit me. I'm not sure if the group that i put my test user in is a security group or a distribution group. I don't know if that will have much effect on this situation but i'm going to check it out any way. Will advise on whether this works or not. Thanks again for your suggestion they're much appreciated.

 

[frogman23]

Ok the group i had my test user in is a security group. I set the security settings back to authenticated users. Still no luck. I used the group policy results from the GPMC and saw that the policy was still not being applied on my TS server. I checked the policy events tab and saw that it was full of errors. There are 2 reoccuring events. Event ID 1030 and 1058. I'm currently researching fixes but if anyone has had any expirences with this please let me know what you did to fix it. I have a July 1 deadline to meet and i'm very close to having this project done so again appreciate your help.

 

[w33mhz]

Check the container that is holding you GPO, from those errors it sounds like it is trying to apply a GP but it can't find it.
Check the following location (it seems a little strange)

\\<domainname>\SYSVOL\<domainname>\Policies

You should see your GPO's there, although the name of the folder will be the GUID of the GPO (i believe its the GUID). I would check which DC you are logging into start>>run>> they type %logonserver% this will open the domain controller you are logging onto. Go to the corrisponding share on the DC and verify all the GPO's. Then verify on all DC's in your domain. It is possible that you have a replication issue.
I am assuming that you have deleted the GPO's and recreated them to verify they aren't just corrupt.

 

[frogman23]

Bah. . . Had to work a 1/2 day on a Saturday. Oh well i can guarantee that it will be like a Friday afternoon, no one will call unless it is absolutely broken and they have to have it, so i guess i'll use this time to work on my problem. I checked the policies on all my DC's (there's 6 of them) and this is what i found:

\\domain\sysvol\domain.xxx\policies - 3 policies
\\fsmoDC\sysvol\domain.xxx\policies - 5 policies (which is the correct amount)
\\DC\sysvol\domain.xxx\policies - 3 policies (my other 5 dc's are identical as far as policy shares go)

I also double checked my policy error log and with the event 1058 there was some information that i saw and checked a little further into. If i type \\domain.xxx\sysvol\domain.xxx\policies i see all 5 policies. I'm getting more and more confused. Would \\domain\etc direct you to the same place as \\domain.xxx\etc? If they are different can i manually copy the missing GPO's to all the DC's and it not mess with anything? I'm leaning toward a replication issue. Oh well, back to google and MS's website looking for potential fixes. I really appreciate your responses they're very helpful and thought provoking so please keep them coming.

BTW i did not delete the GPO's and recreate them since it seems to be more of a replication thing.

 

[w33mhz]

Yes \\domain\SYSVOL and \\domain.xxx\SYSVOL should be the same.

Yes you should copy the missing gpo's over. This doesn't fix the real problem but it may help fix your smaller issue.

 

[frogman23]

After manully copying over the policies and a gpupdate /force I am happy to admit success. Now I have to further tweak my policies to make them perform exactly how i want them to. Now i'm off to try and fix my replication problem. Hopefully i can fix that easy enough (cross your finger) if not i know where to look for answer (albeit another thread). Thanks again for your help.