Re: No Computer Settings for TS group policy

Run a Resultant Set of Policies for a normal user and a TS. Musat
be something in the permissions, maybe this:
NT AUTHORITY\Authenticated Users Custom No

I'd also post in the group_policy newsgroup, you'll probably get
better help there.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 06 jun 2008 in
microsoft.public.windows.terminal_services:

Yes, currently I have 2 TS servers in the gpo applying the group
policy with full control. I also have some admin accounts
denying the gpo.

When I log in as an administrator I can see the computer
settings but not as a domain user. These are my current settings
for the GPO

------------------------------------------------------
Terminal Services Lockdown
Data collected on: 6/6/2008 8:35:14 AM show all

Generalhide
Detailsshow
Domain mccoysales.local
Owner Company1\Domain Admins
Created 6/3/2008 9:36:04 AM
Modified 6/6/2008 8:30:02 AM
User Revisions 1 (AD), 1 (sysvol)
Computer Revisions 26 (AD), 26 (sysvol)
Unique ID {D9873791-6759-4AC3-8D1E-71A6E5129E16}
GPO Status Enabled

Linksshow
Location Enforced Link Status Path
Company1 Yes Enabled Company1.local

This list only includes links in the domain of the GPO.
Security Filteringshow
The settings in this GPO can only apply to the following groups,
users, and computers:Name
MCCOYSALES\Enterprise Admins
MCCOYSALES\MCSVR03$
MCCOYSALES\MCSVR04$
NT AUTHORITY\Authenticated Users

WMI Filteringshow
WMI Filter Name None
Description Not applicable

Delegationshow
These groups and users have the specified permission for this
GPOName Allowed Permissions Inherited
MCCOYSALES\Admin2 Custom No
MCCOYSALES\Enterprise Admins Read (from Security Filtering) No
MCCOYSALES\Terminal03$ Edit settings, delete, modify security No
MCCOYSALES\Terminal04$ Edit settings, delete, modify security No
MCCOYSALES\Admin1 Custom No
NT AUTHORITY\Authenticated Users Custom No
NT AUTHORITY\SYSTEM Custom No

Computer Configuration (Enabled)hide
Administrative Templateshide
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Replace


System/User Profileshide
Policy Setting
Add the Administrators security group to roaming user profiles
Enabled Delete cached copies of roaming profiles Enabled

Windows Components/Internet Explorer/Internet Control
Panel/Advanced Pagehide Policy Setting
Automatically check for Internet Explorer updates Disabled
Empty Temporary Internet Files folder when browser is closed
Enabled Play animations in web pages Disabled
Play sounds in web pages Disabled
Play videos in web pages Disabled

Windows Components/Terminal Serviceshide
Policy Setting
Enforce Removal of Remote Desktop Wallpaper Enabled
Limit number of connections Enabled
TS Maximum Connections allowed 1
Type 999999 for unlimited connections.

Policy Setting
Remove Disconnect option from Shut Down dialog Enabled
Remove Windows Security item from Start menu Enabled
Restrict Terminal Services users to a single remote session
Enabled Set path for TS Roaming Profiles Enabled
Profile path \\mcsvr01\TSProfiles
Specify the path in the form, \\Computername\Sharename
Do not append the user name to the profile path. Disabled

Policy Setting
Set the Terminal Server licensing mode Enabled
Specify the licensing mode for the terminal server. Per User

Policy Setting
Sets rules for remote control of Terminal Services user sessions
Enabled Options: Full Control without user's permission


Windows Components/Terminal Services/Client/Server data
redirectionhide Policy Setting
Allow audio redirection Disabled
Allow Time Zone Redirection Enabled
Do not allow COM port redirection Enabled
Do not allow LPT port redirection Enabled
Terminal Server Fallback Printer Driver Behavior Enabled
When Attempting to Find a Suitable Driver: Default to PCL if one
is not found.


Windows Components/Terminal Services/Sessionshide
Policy Setting
Set time limit for disconnected sessions Enabled
End a disconnected session 30 minutes

Policy Setting
Terminate session when time limits are reached Enabled

User Configuration (Enabled)hide
Windows Settingshide
Folder Redirectionhide
My Documentsshow
Setting: Basic (Redirect everyone's folder to the same
location)show Path: \\%HOMESHARE%%HOMEPATH%
Optionsshow
Grant user exclusive rights to My Documents Enabled
Move the contents of My Documents to the new location Enabled
Policy Removal Behavior Leave contents


"Vera Noest [MVP]" wrote:

Are the TS machine accounts added to the security filtering of
the GPO?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 05 jun 2008 in
microsoft.public.windows.terminal_services:

Morning,

I am trying to lockdown the desktop on my terminal servers
via a GPO called Terminal Services Lockdown. I used this
guide mainly to get find what I needed. The gpo is applied to
the 2 TS servers as well as a TS user group. When I log in a
testuser I run gpresult and find that my computer settings
are not applying but the user settings are. Any thoughts??

http://www.msterminalservices.org/articles/Managing-Terminal-S
erv ices-Group-Policy.html

Also I remember there being a white paper out about GPO on
Terminal services, anyone know of this??

----------------my gpresults from testuser
Microsoft (R) Windows (R) Operating System Group Policy
Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 6/4/2008 at 8:22:59 AM



RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode
------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server
2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and
Settings\testuser Connected over a slow link?: No


USER SETTINGS
--------------
CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysal
es, DC=local Last time Group Policy was applied: 6/4/2008
at 8:22:21 AM Group Policy was applied from:
Group Policy slow link threshold: 500 kbps
Domain Name:
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Services Lockdown
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were
filtered out
----------------------------------------------------------
--- ------
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)

Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Client Computer
Filtering: Not Applied (Empty)

Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)

Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2

EnlightenUsers
Filtering: Not Applied (Empty)

Small Business Server Lockout Policy
Filtering: Disabled (GPO)

WSUS Client Policy
Filtering: Denied (Security)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Wireless Users
Prophet21_Users
CERTSVC_DCOM_ACCESS

.

Relevant Pages