RE: Loopback Policy Not Taking Effect

I have been digging into this alot deeper and I have some theories as to why
this is happening. I setup a fax server that is running WinXP. I set that
server in my Terminal Server OU and logged in as a test user. My gpresult is
edited her it is:

RSOP results for MCCOYSALES\mmckenna on VSIFAXSERVER : Logging Mode
--------------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: MCCOYSALES
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\mmckenna
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=VSIFAXSERVER,OU=Terminal Servers,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/21/2009 at 7:10:46 AM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
WSUS Client Policy
Loopback Policy
Terminal Service Lockdown
Small Business Server Domain Password Policy
Small Business Server Windows Firewall
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
VSIFAXSERVER$
Domain Computers
Wireless Users
CERTSVC_DCOM_ACCESS

USER SETTINGS
--------------
CN=Marisa
Mckenna,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/21/2009 at 8:46:03 AM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Service Lockdown
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

Loopback Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Web Workplace Users
Wireless Users
Prophet21_Users
Fluid Connector
CERTSVC_DCOM_ACCESS
--------------------------------------------------------------
So the computer setting are ok with my Lockdown and Loopback policies on
this so I figured ... well like you said another gp must be filtering my
computer policy from working so I checked all my gp's to no avail. So I
logged onto the TS with the same user and this is the results of my gp:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

RSOP results for MCCOYSALES\mmckenna on VSIFAXSERVER : Logging Mode
--------------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: MCCOYSALES
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\mmckenna
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=VSIFAXSERVER,OU=Terminal Servers,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/21/2009 at 7:10:46 AM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
WSUS Client Policy
Loopback Policy
Terminal Service Lockdown
Small Business Server Domain Password Policy
Small Business Server Windows Firewall
Small Business Server Client Computer
Small Business Server Remote Assistance Policy
Small Business Server Lockout Policy
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------

Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
VSIFAXSERVER$
Domain Computers
Wireless Users
CERTSVC_DCOM_ACCESS


USER SETTINGS
--------------
CN=Marisa
Mckenna,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 1/21/2009 at 8:46:03 AM
Group Policy was applied from: mcsvr01.mccoysales.local
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Service Lockdown
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

Loopback Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Web Workplace Users
Wireless Users
Prophet21_Users
Fluid Connector
CERTSVC_DCOM_ACCESS

------------------------------------------------------------
So... The only other policy that is running on this account is the "Local
Group Policy" given that the "default domain Policy" doesnt have a Computer
Settings Filter which I checked for to begin with. I logged in as an
administrator and checked my Local Policy Settings on my TS but i cannot seem
to find an option that is filtering my Computer Settings but I am sure this
is the reason for my unique problem.

Any Thoughts.... And Sorry this was to long :(

"Vera Noest [MVP]" wrote:

This is really puzzling. The fact that the *user* settings from the
Lockdown GPO (which is linked to the OU containing the Terminal
Servers) is applied, means that the loopback setting *is* in
effect. Because that's exactly what loopback processing does, and
without it, the user settings from the GPOs which are linked to the
OU which contains the user accounts would have been applied.
So why aren't the other computer settings applied?
Are there any settings in the other domain-wide GPOs which are
configured to never be overruled?
And did you double-check that option to disable the computer
settings in the lockdown GPO?
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 20 jan 2009 in
microsoft.public.windows.terminal_services:

Sorry it took me so long to continue this tread.... Seems people
get bent out of shape about restarting servers.......

So I rebooted both of my Terminal Servers in hopes that the
"computer settings" would be present but alas they are not. Im
wondering if there is another policy that is stripping the
computer settings before they are implemented in my Lockdown
Policy..... any thoughs

"Noncentz" wrote:

Afternoon All,

I have been throught this puzzle before only to give up because
I got to busy with other matters but I am once again going to
tackle using GPO to lockdown my TS enviorment.

I have read numerous guides outlining how this process is done
(thx to Vera for the help) using this website as a template:

http://www.msterminalservices.org/articles/Managing-Terminal-Ser
vices-Group-Policy.html

I basically finished the tutorial but I am not seeing the
expected results.

- I went into Users and Computers and created a "Terminal
Servers" OU. Put both TS servers in the group
- I went to GP Management and Created a Loopback Policy as well
ad TS Lockdown Policy and assigned them mostly Computer
Configuration ...... some User level
- When looking at the scope of my GP's I have "Authenticated
Users" being effected including myself for now.

When I loggin to my TS I see that the GPO has been applied to
all users but only the USER CONFIGURATION. It seems as though
the machine settings are being filters????? ... I have no idea
why.......

A good example:

Loopback Policy
Filtering: Not Applied (Empty)

---- I have set the loopback but it is a Computer Configuration
so it is deemed empty

I created a test user that I am logging onto the TS with but
when I run a gpresult I get this back ( Slighly Edited for
Length)

---------------------------------

USER SETTINGS
--------------
CN=Marisa
Mckenna,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=loca
l
Last time Group Policy was applied: 1/6/2009 at 12:47:55 PM
Group Policy was applied from:
mcsvr01.mccoysales.local Group Policy slow link threshold:
500 kbps Domain Name: MCCOYSALES
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Service Lockdown
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were
filtered out
------------------------------------------------------------
-------
Loopback Policy
Filtering: Not Applied (Empty)

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Client Computer
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Web Workplace Users
Wireless Users
Prophet21_Users
Fluid Connector
CERTSVC_DCOM_ACCESS

You all do great work BTW... any help is greatly appreciated.

Noncentz

.

Relevant Pages