GP/OU Problem/Question

In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
DC and a separate Windows 2003 member server as the TS. I am having a
problem getting any Group Policy changes to take effect for an XP Pro
client that logs into the TS --using what I thought was the proper
method of setting this up. Here are my notes on what I have done so
far:

1. Create OU & GPO for the TS:
a. In AD of DC, create an OU called: 'Terminal Servers'
b. Move TS machine into this OU.
c. Right click 'Terminal Servers' OU, and go to properties. Click on
GP tab
d. Click 'New' and name GP (ex, TS Users GP)

2. Create TestUser(s) in AD:

a. Create username/password (ex., TestUser1)
b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
Users
- If creating a separate Security Group for 'TS Users', do not make
user member of RDU. Make the Security group (Step 3) member of RDU.

3. Create Security Group for TS Users & TS desktop

a. Create a new Security group called 'TS Users' in AD.
b. Ensure the 'TS Users' group is a member of RDU group.
c. Populate the 'TS Users' group with the user account(s) --her, the
Testuser1 account
d. Test login to the TS with a user account = ok

4. Edit GPO & Setup Edit for test:

a. In the User Configuration of the GPO, enabled "Remove My COmputer'
icon from Start menu
b. Enabled loopback processing
c. On the Security Tab of the GP, added the TS Machine and the 'TS
Users' Security group with Read & Apply settings
b. Gpupdate/force on DC


Problem:

The edit to the GP does not work...the 'My Computer icon remian when I
login into the TS from the XPP client. I had begun with Folder
redirection and it wasn't working so I tried something simpler..

Resolution?

Based on what I read in a NG posting, I moved my 'Testuser1' user
account into the OU with the TS machine and the GP works!
Everything (most anyway) I researched prior to this setup indicated to
not put the user accounts into the new OU. If I move the Security
Group I created into the OU (of which TestUser1 is a member of) the GP
does not work...

What is the correct way to apply a GP to a group of Users, such as the
group 'TS Users'?
PS I also read article "Understanding Group Policy in a TS
Environment" in which two GPO are linked to thenew OU -one for the
machine & one for the user configuration. Is this a better method?

Confused!
.

Relevant Pages

  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
  • Re: Group Policy Wont Apply Unless User is a Member of Domain Admin. Why?
    ... the security group that my test user is a member of. ... you wrote added by default when I created the gpo. ... gpo will only apply if the test user (uTest) is a member of theDomain> Adminssecurity group. ...
    (microsoft.public.windows.server.sbs)
  • Re: Automatically adding computers to a group
    ... that makes no sense if the computer account is NOT recreated. ... This security group is used to filter ... Interesting concept, "run once GPO. ... computer a member of this new security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
  • Re: Group Membership
    ... run a discovery cycle every time a user is added to a security group or else ... I have setup the collection wrong... ... that will determine if they are a member of that security group. ...
    (microsoft.public.sms.swdist)