Re: GP loopback processing on Windows 2003 terminal service, strange problem!

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: 12/20/04 

Date: Tue, 21 Dec 2004 09:22:59 +1100

Hi

My suggestion would be to return the permissions on the GPO to the defaults
so that it Authenticated Users have read and apply. Next enable user
environment debug logging at the verbose level, reboot the server and log on
as the administrator, then harvest the logs ...

221833 How to enable user environment debug logging in retail builds of
Windows
http://support.microsoft.com/?id=221833

These logs usually show you what's applying from where, what's not and why.
You'll typically want the log to reflect one reboot and one logon to avoid
confusion so if you need to make a couple of attempts, just delete or rename
the existing log so that it start from scratch on the next reboot.

HTH 

-- 
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com
Please note you'll need to strip ".online" from my email address to email 
me; I'll post a response back to the group.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message 
news:eA9QEeA5EHA.3124@TK2MSFTNGP11.phx.gbl...
> You should not have to go through all that to get the policy to work 
> consistently. Once it applies to a user, it should stay that way unless it 
> is changed or another policy is overriding it assuming the domain is 
> configured correctly. Look in Event Viewer on the servers to see if any 
> pertinent errors are reported and make sure that the Windows 2003 built in 
> firewalls are disabled. Make sure that the user you are trying out that is 
> having inconsistent policy applied to is not a member of  the 
> administrators group.
>
> Loopback processing can be configured to be either merger or replace mode, 
> so I would make sure it is in replace mode. The other thing to check is 
> that dns is configured correctly in the domain. Since you have one domain 
> controller, make sure it is pointing to only itself as it's preferred dns 
> server and as shown via Ipconfig /all and of course it should have a 
> static IP. Check that your other W2003 Server points ONLY to the domain 
> controller as it's preferred dns server and NEVER have an ISP dns server 
> listed in the preferred dns server list of any domain computer or all 
> kinds of problems can occur. You might also want to test your dc with the 
> support tools netdiag and dcdiag and the W2003 Server TS with netdiag 
> looking for any pertinent errors.  --- Steve
>
>
> "Johan H" <write2johan@hotmail.com> wrote in message 
> news:OEMu2LA5EHA.2592@TK2MSFTNGP09.phx.gbl...
>> Got one Windows 2003 Server as an DC and on Windows 2003 Server as an
>> Terminal Service (program server).
>> Created an OU and placed the TS machine in it. This OU got an own GP
>> that locks down this machine (users are only allowed to start one
>> program). The GP has the "Loopback Processing" activated to override
>> any other GP's then logging on to the TS server.
>> When logging on as an administrator, the GP won't load until I do a
>> manually "gpupdate" in the CMD window.
>> Same thing if logging on as a user, the GP won't load. Running
>> "gpupdate" don't have any effect. When running "gpresult", only the
>> "User GP" shows. Is this some kind of security problem? Eg the user
>> is not local administrator on this TS server?
>> After I log on as administrator and run the gpupdate, the policy
>> seems to load. Next time I logon as an administrator the policy is
>> loaded.
>> After this, logging on as the user, everything is OK!
>> But... I don't want the administrator to be prohitbited to use the
>> admin functions through TS.
>> I added the "Administrators" group to the GP's security tab and set
>> the security to "Deny Apply Group Policy".
>> Fine so far, now logging on as an administator the lockdown GP won't
>> load.
>> BUT!
>> After a while, also the USERS looses the lockdown GP. Not on the
>> first login (after the "Deny" security was added for admins), not on
>> the second... But suddenly the GP is not loaded anymore!
>> To get it back, I'll have to remove the admin "Deny Apply GP", logon
>> as an admin, run the "gpupdate" and THEN the lockdown GP is again
>> loaded when users logon.
>> Why is this?
>
>

Relevant Pages

  • Re: administrator locked out of SBS 2003
    ... Try to logon to the console using this account. ... see which groups the administrator is a member of and post back ... Even the VMware KB's as I've all ready discovered the server V2.0 ... so I deleted the policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: GP loopback processing on Windows 2003 terminal service, strange problem!
    ... You should not have to go through all that to get the policy to work ... Check that your other W2003 Server points ONLY to the domain controller ... > any other GP's then logging on to the TS server. ... > is not local administrator on this TS server? ...
    (microsoft.public.windows.group_policy)
  • Re: windows 20000 problem
    ... So you are saying the problem is on just this one particular server that is ... in an OU with other servers that do not lock down the domain admin account. ... The part about logging in as local account that bypasses this policy ... > and the administrator is in an OU where the policy doesnt apply. ...
    (microsoft.public.win2000.security)
  • Re: administrator locked out of SBS 2003
    ... enterprise admins ... group policy creator owners ... Other than lacking exchange administrator this is pretty much normal. ... Even the VMware KB's as I've all ready discovered the server V2.0 ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login to SBS Server
    ... do you think it could be a group policy error/problem even ... Les Connor [SBS MVP] ... to resolve this issue & double checked that the administrator is ... We were asked to look at a SBS 2003 server & found that the ...
    (microsoft.public.windows.server.sbs)