Re: Computer componet of GP not being applied
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 09/16/04
- Next message: Mark Renoden [MSFT]: "Re: Computer componet of GP not being applied"
- Previous message: Peter: "Re: where is sp2 .adm template ??"
- In reply to: Andrew: "Re: Computer componet of GP not being applied"
- Next in thread: Mark Renoden [MSFT]: "Re: Computer componet of GP not being applied"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 17 Sep 2004 09:14:27 +1000
Hi Andrew
I've had a read back over the thread and I'm still curious to know:
When you open the GPO for editing, there are two sections. Computer
Configuration and User Configuration. I would expect that anything set in
the Computer Configuration section is successfully applying. Is this
correct?
Can you tell me more about the user accounts? They are domain users? What
groups to they belong to besides the groups you are looking at?
The groups you are using ... are they Domain local groups or are they groups
local to the Terminal Server only?
Kind regards
-- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "Andrew" <arheaume@bridgetech.com> wrote in message news:e0q$oi%23mEHA.3628@TK2MSFTNGP09.phx.gbl... > The permissions on the security tab are: > Authenticated users: Read + Apply GP > Creator Owner: Blank > Domain Admins: everything but full control > Enterprise Admins: everything but full control > System: everything but full control and apply policy > > The loopback is set to replace > > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message > news:eF7bHXsmEHA.404@TK2MSFTNGP12.phx.gbl... >> Hi Andrew >> >> I can understand if the User Configuration portion of the GPO is not >> applying. That is quite possibly related to groups and permissions. I >> would expect that anything in the Computer Configuration portion of the > GPO >> is applying as expected? >> >> Is the loopback set to merge or replace? >> >> By "non-standard permissions", I mean what are the permissions on the >> GPO? >> If you look at the properties of the OU in which the Terminal Server > resides >> and then the Group Policy tab, select the GPO you're having trouble with, >> click Properties and then look at the Security tab. What permissions are >> set here? >> >> Kind regards >> -- >> Mark Renoden [MSFT] >> Windows Platform Support Team >> Email: markreno@online.microsoft.com >> >> Please note you'll need to strip ".online" from my email address to email >> me; I'll post a response back to the group. >> >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> >> "Andrew" <arheaume@bridgetech.com> wrote in message >> news:e3tg$rlmEHA.392@tk2msftngp13.phx.gbl... >> > It all seems to be linked to the local user groups on the terminal > server. >> > When they are in the admin local group, I get all the locked down >> > settings, >> > but if I move the user to the local user group they are not locked >> > down...suchs as I can open a dos prompt and execute commands. >> > Not sure what you mean by "non-standard permissions" >> > Yes, the loopback is applied. >> > The user are in a different OU then the Terminal Server. >> > >> > "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message >> > news:OUBm1eUmEHA.2180@TK2MSFTNGP12.phx.gbl... >> >> Hi Andrew >> >> >> >> This doesn't sound right. Computer Configuration settings are applied >> >> before login and as such, have nothing to do with the user account. >> >> >> >> Do you have any non-standard permissions set on the GPO? >> >> >> >> Are you using policy loopback? >> >> >> >> Are the user accounts in a different OU or the same OU as the Terminal >> >> Server? >> >> >> >> Kind regards >> >> -- >> >> Mark Renoden [MSFT] >> >> Windows Platform Support Team >> >> Email: markreno@online.microsoft.com >> >> >> >> Please note you'll need to strip ".online" from my email address to > email >> >> me; I'll post a response back to the group. >> >> >> >> This posting is provided "AS IS" with no warranties, and confers no >> > rights. >> >> >> >> "Andrew" <arheaume@bridgetech.com> wrote in message >> >> news:%237MITsSmEHA.3712@TK2MSFTNGP15.phx.gbl... >> >> > I'm restricting computer settings for terminal server clients via > group >> >> > policies using a windows 2003. My problem is when the user logs in > via >> >> > terminal services and their account in located in the local >> > Administrators >> >> > group on the Terminal Server the group policies (user/computer) are >> >> > applied. >> >> > This is good. Now I would like to move the Terminal server users > from >> > the >> >> > local administrator group to the local users group on the Terminal >> > server. >> >> > When I do this, the user component of the group policy is applied >> >> > but >> > not >> >> > the computer component. I have verified this using gpresult. >> >> > >> >> > Any insight on this issue would be appreciated. >> >> > >> >> > >> >> >> >> >> > >> > >> >> > >
- Next message: Mark Renoden [MSFT]: "Re: Computer componet of GP not being applied"
- Previous message: Peter: "Re: where is sp2 .adm template ??"
- In reply to: Andrew: "Re: Computer componet of GP not being applied"
- Next in thread: Mark Renoden [MSFT]: "Re: Computer componet of GP not being applied"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
