Re: Group Policy - Terminal Server
From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 08/30/04
- Next message: ABQ_Me: "local admin one each local machine.."
- Previous message: anonymous_at_discussions.microsoft.com: "How can I force clients to disconnect?"
- In reply to: DMC: "Re: Group Policy - Terminal Server"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 30 Aug 2004 14:21:54 -0700
Ok. So, the first thing to check is to make sure your TS boxes are actually
getting that policy applied to them. Log onto one of them and run the
gpresult.exe tool from the Win2K resource kit. It should tell if you if the
loopback policy is being applied.
-- Darren Mar-Elia MS-MVP-Windows Management http://www.gpoguy.com "DMC" <DMC@discussions.microsoft.com> wrote in message news:34392FF1-F1AA-48F3-B7DE-0BE766CDF1FC@microsoft.com... > Thank you for responding. > > So I have done just as you have said. I have an OU called 'MyUsers' where > all of the user accounts sit. There is a GPO linked to this OU called > 'MyUsersGPO.' This contains some not-so-restrictive settings. > > I also have a 'TerminalServer' OU. In this OU I have placed my Windows > 2000 > Application Terminal Server(s). I have also created a GPO Called 'TS' and > have linked it to this OU. This GPO also contains restricted settings. I > have the following setting enabled: > > [Computer Configuration\Admin Templates\System\Group Policy] > > Enable the following setting: > User Group Policy loopback processing mode > > I have selected replace and NOT merge. > > I have recreated the GPO's a number of times. This is driving me nuts. I > know its probably one small thing. > > When I log on with an account from 'MyUsers' OU onto a Terminal Server in > the 'TerminalServer' OU, no settings are applied. BUT when I, for testing > purposes, move the user object from the 'MyUsers' OU to the > 'TerminalServer' > OU, the settings are applied. > > It's like the loopback processing is not happening. I have even tried > going > to the permissions tab of the 'TerminalServer' GPO and adding the specific > user and giving him the 'Read' and 'Apply Group Policy' rights manually to > make sure there was no problem there. > > I am totally frustrated now. I have looked at it a thousand times. Its > just not working. Any ideas? > > "Darren Mar-Elia" wrote: > >> I'm not sure how 315675 applies in this case. Maybe this will help. >> Here's >> how loopback is supposed to work. I create an OU and put my Terminal >> Servers >> only into it. Then, I create a GPO linked to that TS OU. In that GPO, I >> enable loopback policy processing, most commonly selecting the "replace" >> option. Within that TS GPO, I also specify some User Configuration >> Settings >> to lock down users who log onto the TS, as shown in Q278295. Ok. Now I >> have >> a user account who is in a different OU. By virtue of their "normal" OU >> membership, they get certain user configuration policy that is not locked >> down and not restricted when they log onto their normal desktops. >> However, >> when they log onto a TS, they are subject to the user configuration >> delivered by the loopback policy, which replaces their normal, open >> desktop. >> Then, when they go back to their normal desktop, the loopback user >> settings >> are removed and they again get their normal desktop settings. During this >> time, the user object itself does not move OUs. That is how loopback is >> supposed to work. What part of that is not working for you? >> >> >> -- >> Darren Mar-Elia >> MS-MVP-Windows Management >> http://www.gpoguy.com >> >> >> >> "DMC" <DMC@discussions.microsoft.com> wrote in message >> news:D7FFB902-461F-4A63-9F07-5AC804BAD2D5@microsoft.com... >> >I know it defeats the purpose, which is why I am posing this question. >> > >> > I am taking the information straight from Q278295 and Q315675. >> > >> > The settings wont apply for a user that is a member of a different OU. >> > >> > Anything I can do to verify my settings? >> > >> > "Darren Mar-Elia" wrote: >> > >> >> If you followed that article and are using loopback policy on that TS >> >> OU, >> >> then it should work as expected. The problem I see from your >> >> description >> >> is >> >> that you say you are moving the test user account into the TS OU. That >> >> sort >> >> of defeats the purpose of using loopback because then that user is >> >> only >> >> subject to the policy that they receive within that TS OU. >> >> >> >> -- >> >> Darren Mar-Elia >> >> MS-MVP-Windows Management >> >> http://www.gpoguy.com >> >> >> >> >> >> >> >> "DMC DMC" <DMC DMC@discussions.microsoft.com> wrote in message >> >> news:F9485E8D-FFDB-41C6-8C62-EB7BB30797AA@microsoft.com... >> >> >I have a quick question. I have a number of OU's, one of them >> >> >specifically >> >> > for our Terminal Servers. I have created a separate GPO >> >> > specifically >> >> > for >> >> > this OU. >> >> > >> >> > I followed article http://support.microsoft.com/?id=260370. >> >> > >> >> > I have done this because I want specific policy elements for users' >> >> > terminal >> >> > server sessions. ie. No Shutown of computer. At the same time, if >> >> > the >> >> > user >> >> > logs on to a full desktop setting, I want a differnt set of policy >> >> > elements. >> >> > >> >> > How can I do this? >> >> > >> >> > As soon as I move one of the test user accounts into the Terminal >> >> > Server >> >> > OU, >> >> > the user inherits the settings of the TS GPO. The problem with this >> >> > is, I >> >> > do >> >> > not want them getting this policy when they log onto a non-Terminal >> >> > Server >> >> > computer. >> >> > >> >> > Is there any way around this? >> >> > >> >> > >> >> > >> >> >> >> >> >> >> >> >>
- Next message: ABQ_Me: "local admin one each local machine.."
- Previous message: anonymous_at_discussions.microsoft.com: "How can I force clients to disconnect?"
- In reply to: DMC: "Re: Group Policy - Terminal Server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
