Re: Loopback Policy Not Taking Effect

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


No, the GPO's (both user config and computer config GPO's) should be linked to the OU of the servers. Have you rebooted your servers yet? sometimes settings like these require a reboot before they will take affect.

Jeff Pitsch
Microsoft MVP - Terminal Services

Noncentz wrote:
Vera,

So let me get this straight before I mess this up even more.

-I created the "Terminal Servers" OU in Users and Computers and placed my Terminal Servers in the OU

- But when I go to GP Management I am NOT supposed to link my lockdown and loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS Accounts.

I am confused because my "Terminal Servers" OU is holding my computer accounts for both my servers. Should I be linking my GPO to the OU that holds all my user accounts instead... sorry I didnt clarify which OU I am linking to?





"Vera Noest [MVP]" wrote:

You don't write to which OU you have linked the GPOs.
Both the Loopback GPO and the LOckdown GPO must be linked to the OU which contains the Terminal Server accounts.

Also make sure that the option "disable Computer configuration" is unchecked in both GPOs (I'm not sure of the exact wording).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 06 jan 2009 in
microsoft.public.windows.terminal_services:

Afternoon All,

I have been throught this puzzle before only to give up because
I got to busy with other matters but I am once again going to
tackle using GPO to lockdown my TS enviorment.

I have read numerous guides outlining how this process is done
(thx to Vera for the help) using this website as a template:

http://www.msterminalservices.org/articles/Managing-Terminal-Serv
ices-Group-Policy.html

I basically finished the tutorial but I am not seeing the
expected results.

- I went into Users and Computers and created a "Terminal
Servers" OU. Put both TS servers in the group
- I went to GP Management and Created a Loopback Policy as well
ad TS Lockdown Policy and assigned them mostly Computer
Configuration ...... some User level
- When looking at the scope of my GP's I have "Authenticated
Users" being effected including myself for now.

When I loggin to my TS I see that the GPO has been applied to
all users but only the USER CONFIGURATION. It seems as though
the machine settings are being filters????? ... I have no idea
why.......

A good example:

Loopback Policy
Filtering: Not Applied (Empty)

---- I have set the loopback but it is a Computer Configuration
so it is deemed empty

I created a test user that I am logging onto the TS with but
when I run a gpresult I get this back ( Slighly Edited for
Length)

---------------------------------

USER SETTINGS
--------------
CN=Marisa Mckenna,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/6/2009 at 12:47:55 PM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps
Domain Name: MCCOYSALES
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Service Lockdown
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were
filtered out -------------------------------------------------------------
------ Loopback Policy
Filtering: Not Applied (Empty)

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Client Computer
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Web Workplace Users
Wireless Users
Prophet21_Users
Fluid Connector
CERTSVC_DCOM_ACCESS

You all do great work BTW... any help is greatly appreciated.

Noncentz
.

Relevant Pages

  • Re: Loopback Policy Not Taking Effect
    ... Have you rebooted your servers yet? ... Terminal Servers in the OU ... loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS ... ad TS Lockdown Policy and assigned them mostly Computer ...
    (microsoft.public.windows.terminal_services)
  • Re: Account Lockout threshold
    ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ...
    (microsoft.public.security)
  • Re: Security templates and IUSR account log on locally
    ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
    (microsoft.public.inetserver.iis.security)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.networking)
  • Re: Preventing users from c onnecting to shares NOT on the domain..
    ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
    (microsoft.public.win2000.security)