Re: GP/OU Problem/Question

---

• From: moncho <moncho@xxxxxxxxxxxxxxxxx>
• Date: Fri, 15 Feb 2008 14:38:39 GMT

---

compsosinc@xxxxxxxxx wrote:

On Feb 15, 6:56 am, moncho <mon...@xxxxxxxxxxxxxxxxx> wrote:

compsos...@xxxxxxxxx wrote:

In a VirtualPC setup (test lab), I am using Windows 2003 Server as a
DC and a separate Windows 2003 member server as the TS. I am having a
problem getting any Group Policy changes to take effect for an XP Pro
client that logs into the TS --using what I thought was the proper
method of setting this up. Here are my notes on what I have done so
far:
1. Create OU & GPO for the TS:
a. In AD of DC, create an OU called: 'Terminal Servers'
b. Move TS machine into this OU.
c. Right click 'Terminal Servers' OU, and go to properties. Click on
GP tab
d. Click 'New' and name GP (ex, TS Users GP)
2. Create TestUser(s) in AD:
a. Create username/password (ex., TestUser1)
b. Ensure that TestUser1 is a member of Domain Users & Remote Desktop
Users
- If creating a separate Security Group for 'TS Users', do not make
user member of RDU. Make the Security group (Step 3) member of RDU.
3. Create Security Group for TS Users & TS desktop
a. Create a new Security group called 'TS Users' in AD.
b. Ensure the 'TS Users' group is a member of RDU group.

Make sure you add 'TS Users' group to the local 2003 TS server
RDU group.

c. Populate the 'TS Users' group with the user account(s) --her, the
Testuser1 account
d. Test login to the TS with a user account = ok
4. Edit GPO & Setup Edit for test:
a. In the User Configuration of the GPO, enabled "Remove My COmputer'
icon from Start menu
b. Enabled loopback processing

I have found it easier and more reliable to put the loopback processing
in the Computer Configuration section of its own GPO in the
Terminal Servers OU. Also, you may want to set it to "replace"
mode.

Create a UserConfig GPO in the Terminal Server OU and with only your
security group.

c. On the Security Tab of the GP, added the TS Machine and the 'TS
Users' Security group with Read & Apply settings

You will want to remove the Authenticated Users group also.

b. Gpupdate/force on DC
Problem:
The edit to the GP does not work...the 'My Computer icon remian when I
login into the TS from the XPP client. I had begun with Folder
redirection and it wasn't working so I tried something simpler..
Resolution?
Based on what I read in a NG posting, I moved my 'Testuser1' user
account into the OU with the TS machine and the GP works!
Everything (most anyway) I researched prior to this setup indicated to
not put the user accounts into the new OU. If I move the Security
Group I created into the OU (of which TestUser1 is a member of) the GP
does not work...

You do not want to put users in the Terminal Servers OU. This OU
should be for TS servers only, not users.

What is the correct way to apply a GP to a group of Users, such as the
group 'TS Users'?
PS I also read article "Understanding Group Policy in a TS
Environment" in which two GPO are linked to thenew OU -one for the
machine & one for the user configuration. Is this a better method?

I like to do it this way myself. It helps to keep things simplified.
At least for me.

Basic setup will be:

OU for TS servers
ComputerConfig GPO for TS Servers with Loopback processing set to
replace mode in the Computer Section of the GPO.
UserConfig GPO - remove Authenticated Users, add TS Users group.
- Set all the settings you like in the User section of the GPO
- Start small and add more later.
Add TS Users group to local TS server RDU group.
You should be good to go.

You may want to checkhttp://www.sessioncomputing.com/how-to.htm
also. Loads of info here.

moncho- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

Thank you both very much for replying. I have the GP working and here
are the things I did to make it work. I just do not know what fixed it
(made more than one thing or all did):

1. On the GP of the TS OU, I removed Authenticated users from the
Security tab (Filtering). I ensured that the TS machine and the 'TS
Users' group was listed and had Read/Apply rights.

This is to stop the GP from applying to a user in the Administrator
group. You do not want all the restrictions on the admin.

2. On the GP, checked 'Block Policy Inheritence' -- I read this in
another article but do not see it mentioned often so had originally
not done this.
3. Made the 'TS Users' group a member of the Local Remote Desktop
Users on the TS.
4. Ran gpupdate/force on the TS, not the DC. Did not know this...and
not sure I understand why this is done on the TS when the DC has
Active Directory.

You run gpudate /force on the system that you want to update (i.e. TS
server or desktop). It "grabs" the new policy "from" A/D.

Question(s):

1. Vera, you mention running 'Resultant Set of Policies'. How is that
done specifically -either for a Security group or an individual User?
I should know how to do this for future troubleshooting...I have read
that you need the Resource Kit to do this?

You will do this on a machine or individual user. I can be done from
within the GPMC.

Right Click on Group Policy Results -> Group Policy Results Wizard.

If you have Windows Firewall enable on the machine you are
trying to get the results from, it may block the Wizard. I do not know
what ports to open for this to work correctly. Maybe Vera knows.

2. With regards to setting up separate GPOs, one for the Computer
Configuration and one for the Users, what is considered best practice?

Like I mentioned earlier, I think creating two OU's is better. By
keeping the Computer Config GPO with loopback processing separate, it is
easier on other admins (IMHO). I believe this should be a best
practice if it is not already. To me, loopback processing is
a "big time" change and should be in its own GPO. Especially for
troubleshooting purposes.

moncho
.

---

• Follow-Ups:
  • Re: GP/OU Problem/Question
    • From: compsosinc

• References:
  • GP/OU Problem/Question
    • From: compsosinc
  • Re: GP/OU Problem/Question
    • From: moncho
  • Re: GP/OU Problem/Question
    • From: compsosinc

• Prev by Date: TS/Citrix Access Problem
• Next by Date: Sluggish application for one user until I reboot TS
• Previous by thread: Re: GP/OU Problem/Question
• Next by thread: Re: GP/OU Problem/Question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: GP/OU Problem/Question ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ... (microsoft.public.windows.terminal_services) Re: Group Policy Wont Apply Unless User is a Member of Domain Admin. Why? ... the security group that my test user is a member of. ... you wrote added by default when I created the gpo. ... gpo will only apply if the test user (uTest) is a member of theDomain> Adminssecurity group. ... (microsoft.public.windows.server.sbs) Re: GP/OU Problem/Question ... Server as a DC and a separate Windows 2003 member server as ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... If creating a separate Security Group for 'TS Users', ... (microsoft.public.windows.terminal_services) Re: GP/OU Problem/Question ... DC and a separate Windows 2003 member server as the TS. ... Create OU & GPO for the TS: ... Make the Security group member of RDU. ... should be for TS servers only, ... (microsoft.public.windows.terminal_services) GP/OU Problem/Question ... DC and a separate Windows 2003 member server as the TS. ... Create OU & GPO for the TS: ... Make the Security group member of RDU. ... Edit GPO & Setup Edit for test: ... (microsoft.public.windows.terminal_services)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)