Re: Loopback Policy Not Taking Effect


Jeff,

I think that might be the answer im looking for. I noticed that my user
settings were taking effect when I linked my GPO to the OU with my TS in
ti.......not to mention it made complete sense. I must have to reboot.... I
will update when I do.

Thx Lots
Noncentz

"Jeff Pitsch" wrote:

No, the GPO's (both user config and computer config GPO's) should be
linked to the OU of the servers. Have you rebooted your servers yet?
sometimes settings like these require a reboot before they will take affect.

Jeff Pitsch
Microsoft MVP - Terminal Services

Noncentz wrote:
Vera,

So let me get this straight before I mess this up even more.

-I created the "Terminal Servers" OU in Users and Computers and placed my
Terminal Servers in the OU

- But when I go to GP Management I am NOT supposed to link my lockdown and
loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS
Accounts.

I am confused because my "Terminal Servers" OU is holding my computer
accounts for both my servers. Should I be linking my GPO to the OU that holds
all my user accounts instead... sorry I didnt clarify which OU I am linking
to?





"Vera Noest [MVP]" wrote:

You don't write to which OU you have linked the GPOs.
Both the Loopback GPO and the LOckdown GPO must be linked to the OU
which contains the Terminal Server accounts.

Also make sure that the option "disable Computer configuration" is
unchecked in both GPOs (I'm not sure of the exact wording).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 06 jan 2009 in
microsoft.public.windows.terminal_services:

Afternoon All,

I have been throught this puzzle before only to give up because
I got to busy with other matters but I am once again going to
tackle using GPO to lockdown my TS enviorment.

I have read numerous guides outlining how this process is done
(thx to Vera for the help) using this website as a template:

http://www.msterminalservices.org/articles/Managing-Terminal-Serv
ices-Group-Policy.html

I basically finished the tutorial but I am not seeing the
expected results.

- I went into Users and Computers and created a "Terminal
Servers" OU. Put both TS servers in the group
- I went to GP Management and Created a Loopback Policy as well
ad TS Lockdown Policy and assigned them mostly Computer
Configuration ...... some User level
- When looking at the scope of my GP's I have "Authenticated
Users" being effected including myself for now.

When I loggin to my TS I see that the GPO has been applied to
all users but only the USER CONFIGURATION. It seems as though
the machine settings are being filters????? ... I have no idea
why.......

A good example:

Loopback Policy
Filtering: Not Applied (Empty)

---- I have set the loopback but it is a Computer Configuration
so it is deemed empty

I created a test user that I am logging onto the TS with but
when I run a gpresult I get this back ( Slighly Edited for
Length)

---------------------------------

USER SETTINGS
--------------
CN=Marisa
Mckenna,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/6/2009 at 12:47:55 PM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps
Domain Name: MCCOYSALES
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Service Lockdown
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were
filtered out
-------------------------------------------------------------
------
Loopback Policy
Filtering: Not Applied (Empty)

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Client Computer
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Web Workplace Users
Wireless Users
Prophet21_Users
Fluid Connector
CERTSVC_DCOM_ACCESS

You all do great work BTW... any help is greatly appreciated.

Noncentz

.

Relevant Pages

  • Re: restricted groups frustration!
    ... Have you run GPMC Results wizard against one of the intended target servers to ensure they are actually processing that GPO and getting that particular setting. ... you could then enable security policy logging on one of the target servers to see what's up. ... If this is not the desired RSOP, you'll most likely want to create a new gpo with these settings in it and security filter it to 'Domain Computers', which avoids domain controllers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Applying Custom Security Templates with GPOs
    ... The template (and, therefore, policy) is not being ... privliges to apply the GPO. ... >servers need to reside in that OU or possibly a sub OU. ...
    (microsoft.public.win2000.security)
  • RE: Loopback Policy Not Taking Effect
    ... The fact that the *user* settings from the ... Lockdown GPO (which is linked to the OU containing the Terminal ... So I rebooted both of my Terminal Servers in hopes that the ... - I went to GP Management and Created a Loopback Policy as well ...
    (microsoft.public.windows.terminal_services)
  • Re: TS Srv is also print server. How do you restrict acces / permissions
    ... Create an OU to contain a set of Terminal Servers ... Block Policy Inheritance on the OU. ... Create a GPO called ?TS Machine Policy? ... Check ?Disable Computer Configuration settings? ...
    (microsoft.public.windows.terminal_services)
  • Re: Group Policy Management Console or Gpedit.msc
    ... Group Policy Management Console in a domain environment (if ... Create an OU to contain a set of Terminal Servers ... Create a GPO called "TS Machine Policy" linked to the OU ... Check "Disable Computer Configuration settings" on these GPO ...
    (microsoft.public.windows.group_policy)