Re: GP/OU Problem/Question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Vera Noest [MVP] wrote:
compsosinc@xxxxxxxxx wrote on 15 feb 2008 in
microsoft.public.windows.terminal_services:

On Feb 15, 9:38 am, moncho <mon...@xxxxxxxxxxxxxxxxx> wrote:
compsos...@xxxxxxxxx wrote:
On Feb 15, 6:56 am, moncho <mon...@xxxxxxxxxxxxxxxxx> wrote:
compsos...@xxxxxxxxx wrote:
In a VirtualPC setup (test lab), I am using Windows 2003
Server as a DC and a separate Windows 2003 member server as
the TS. I am having a problem getting any Group Policy
changes to take effect for an XP Pro client that logs into
the TS --using what I thought was the proper method of
setting this up. Here are my notes on what I have done so far:
1. Create OU & GPO for the TS:
a. In AD of DC, create an OU called: 'Terminal Servers'
b. Move TS machine into this OU.
c. Right click 'Terminal Servers' OU, and go to properties.
Click on GP tab
d. Click 'New' and name GP (ex, TS Users GP)
2. Create TestUser(s) in AD:
a. Create username/password (ex., TestUser1)
b. Ensure that TestUser1 is a member of Domain Users &
Remote Desktop Users
- If creating a separate Security Group for 'TS Users',
do not mak
e
user member of RDU. Make the Security group (Step 3) member
of RDU. 3. Create Security Group for TS Users & TS desktop
a. Create a new Security group called 'TS Users' in AD.
b. Ensure the 'TS Users' group is a member of RDU group.
Make sure you add 'TS Users' group to the local 2003 TS
server RDU group.
c. Populate the 'TS Users' group with the user account(s)
--her, the Testuser1 account
d. Test login to the TS with a user account = ok
4. Edit GPO & Setup Edit for test:
a. In the User Configuration of the GPO, enabled "Remove
My COmpute
r'
icon from Start menu
b. Enabled loopback processing
I have found it easier and more reliable to put the loopback
processing in the Computer Configuration section of its own GPO in the
Terminal Servers OU. Also, you may want to set it to
"replace" mode.
Create a UserConfig GPO in the Terminal Server OU and with
only your security group.
c. On the Security Tab of the GP, added the TS Machine and
the 'TS Users' Security group with Read & Apply settings
You will want to remove the Authenticated Users group also.
b. Gpupdate/force on DC
Problem:
The edit to the GP does not work...the 'My Computer icon
remian when I login into the TS from the XPP client. I had begun with
Folder redirection and it wasn't working so I tried
something simpler.. Resolution?
Based on what I read in a NG posting, I moved my
'Testuser1' user account into the OU with the TS machine
and the GP works! Everything (most anyway) I researched
prior to this setup indicated to not put the user accounts into the new OU. If I move the
Security Group I created into the OU (of which TestUser1 is
a member of) the GP does not work...
You do not want to put users in the Terminal Servers OU.
This OU should be for TS servers only, not users.
What is the correct way to apply a GP to a group of Users,
such as the group 'TS Users'?
PS I also read article "Understanding Group Policy in a TS
Environment" in which two GPO are linked to thenew OU -one
for the machine & one for the user configuration. Is this a
better method?
I like to do it this way myself. It helps to keep things
simplified. At least for me.
Basic setup will be:
OU for TS servers
ComputerConfig GPO for TS Servers with Loopback processing
set to replace mode in the Computer Section of the GPO.
UserConfig GPO - remove Authenticated Users, add TS Users
group. - Set all the settings you like in the User section
of the GPO - Start small and add more later.
Add TS Users group to local TS server RDU group.
You should be good to go.
You may want to
checkhttp://www.sessioncomputing.com/how-to.htm also. Loads
of info here. moncho- Hide quoted text -
- Show quoted text -- Hide quoted text -
- Show quoted text -
Thank you both very much for replying. I have the GP working
and here are the things I did to make it work. I just do not
know what fixed it (made more than one thing or all did):
1. On the GP of the TS OU, I removed Authenticated users from
the Security tab (Filtering). I ensured that the TS machine
and the 'TS Users' group was listed and had Read/Apply
rights.
This is to stop the GP from applying to a user in the
Administrator group. You do not want all the restrictions on
the admin.

2. On the GP, checked 'Block Policy Inheritence' -- I read
this in another article but do not see it mentioned often so
had originally not done this.
3. Made the 'TS Users' group a member of the Local Remote
Desktop Users on the TS.
4. Ran gpupdate/force on the TS, not the DC. Did not know
this...and not sure I understand why this is done on the TS
when the DC has Active Directory.
You run gpudate /force on the system that you want to update
(i.e. TS server or desktop). It "grabs" the new policy "from"
A/D.



Question(s):
1. Vera, you mention running 'Resultant Set of Policies'. How
is that done specifically -either for a Security group or an
individual User? I should know how to do this for future
troubleshooting...I have read that you need the Resource Kit
to do this?
You will do this on a machine or individual user. I can be
done from within the GPMC.

Right Click on Group Policy Results -> Group Policy Results
Wizard.

If you have Windows Firewall enable on the machine you are
trying to get the results from, it may block the Wizard. I do
not know what ports to open for this to work correctly. Maybe
Vera knows.



2. With regards to setting up separate GPOs, one for the
Computer Configuration and one for the Users, what is
considered best practice?
Like I mentioned earlier, I think creating two OU's is better.
By keeping the Computer Config GPO with loopback processing
separate, it is easier on other admins (IMHO). I believe this
should be a best practice if it is not already. To me,
loopback processing is a "big time" change and should be in its
own GPO. Especially for troubleshooting purposes.

moncho- Hide quoted text -

- Show quoted text -
Thanks again. You have both been very helpful!

Glad you got it solved. And I believe that the solution was point
3. Made the 'TS Users' group a member of the Local Remote
Desktop Users on the TS.

That was a good catch, moncho, I missed that!

Thanks Vera. I appreciate that.

I wonder if MS could come up with some way in A/D to just add users
to the domain RDU group and be done. That would make life easier.
I know there would need to be a way to limit the domain RDU to
specific machines for security reasons though...

moncho
.

Relevant Pages

  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
  • Re: GP/OU Problem/Question
    ... Server as a DC and a separate Windows 2003 member server as ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... If creating a separate Security Group for 'TS Users', ...
    (microsoft.public.windows.terminal_services)
  • Re: GP/OU Problem/Question
    ... DC and a separate Windows 2003 member server as the TS. ... Create OU & GPO for the TS: ... Make the Security group member of RDU. ... should be for TS servers only, ...
    (microsoft.public.windows.terminal_services)
  • Re: GP/OU Problem/Question
    ... Server as a DC and a separate Windows 2003 member server as ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Create Security Group for TS Users & TS desktop ...
    (microsoft.public.windows.terminal_services)
  • Re: GP/OU Problem/Question
    ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ... Create a UserConfig GPO in the Terminal Server OU and with only your ...
    (microsoft.public.windows.terminal_services)