GPO Design not working

G

Graham Prentice

Can someone tell me the proper way to set up the OU's in this situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper scripts
to run for each location. It appears that is I move the TS object to a
branch, it will work ok - but I only have one TS, how can it be under all of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows the GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
 
M

Mark Renoden [MSFT]

Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under which the
Terminal Server resides.

The user configuration parts of the policy will only apply to the Users from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the OU in
which the Terminal Server resides. These settings will be the same for all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all users in a
GPO linked to the OU in which the Terminal Server resides. Becuase the User
OU's reside under the Terminal Server OU, these settings will be inherited.

3. Apply all user configuration settings that are specific to each site in a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are different for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Graham Prentice

Thanks for the reply Mark,
My structure has a Main OU with 5 child OUs.

The TermServ object resides in the Main OU and the user objects are in each
respective child OUs.

I had (under the user section of GPO) a logon script adding a printer and
mapping a drive in the GPO of each child OU. They would not take affect
until I moved the TS object under one of the child OUs (as a test).

I have the impression that you must have the w/s object and the user objects
within the OU for it to take effect. From what you're saying, things should
inherit down - but it seems to stop where the TS object resides. What about
the child OUs? How do you associate the users with the terminal server that
is farther up the tree? I would assume that it would just take the user
portion of the GPO and apply it to any server you log into.

Yes, I did apply the policy loopback 'replace' - should I not? Most of the
users will be WinXPe thin clients - they probably don't need this setting.

When I try logging in, the gpresult /z says it didn't run the child GPO.
(does work however if I move the TS object right into that child OU - but it
doesn't help the other 4 sub- OUs)

I've got domain admins deny and associated users, domain users apply - but
still no go.

Any ideas how to fix this?
Many thanks,

Graham
Mark Renoden said:
Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under which the
Terminal Server resides.

The user configuration parts of the policy will only apply to the Users from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the OU in
which the Terminal Server resides. These settings will be the same for all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all users in a
GPO linked to the OU in which the Terminal Server resides. Becuase the User
OU's reside under the Terminal Server OU, these settings will be inherited.

3. Apply all user configuration settings that are specific to each site in a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are different for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.



Graham Prentice said:
Can someone tell me the proper way to set up the OU's in this situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper
scripts
to run for each location. It appears that is I move the TS object to a
branch, it will work ok - but I only have one TS, how can it be under all
of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows the GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
Click to expand...
Click to expand...
 
M

Mark Renoden [MSFT]

Hi Graham

Turn off policy loopback. The effect of this in replace mode is that it
effectively ignores the policy which applies to the Users and only applies
the user configuration settings that apply to the server (thereby discarding
policy settings applied to the user OU's). Everything should work as you
want once you've done this.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Graham Prentice said:
Thanks for the reply Mark,
My structure has a Main OU with 5 child OUs.

The TermServ object resides in the Main OU and the user objects are in
each
respective child OUs.

I had (under the user section of GPO) a logon script adding a printer and
mapping a drive in the GPO of each child OU. They would not take affect
until I moved the TS object under one of the child OUs (as a test).

I have the impression that you must have the w/s object and the user
objects
within the OU for it to take effect. From what you're saying, things
should
inherit down - but it seems to stop where the TS object resides. What
about
the child OUs? How do you associate the users with the terminal server
that
is farther up the tree? I would assume that it would just take the user
portion of the GPO and apply it to any server you log into.

Yes, I did apply the policy loopback 'replace' - should I not? Most of
the
users will be WinXPe thin clients - they probably don't need this setting.

When I try logging in, the gpresult /z says it didn't run the child GPO.
(does work however if I move the TS object right into that child OU - but
it
doesn't help the other 4 sub- OUs)

I've got domain admins deny and associated users, domain users apply - but
still no go.

Any ideas how to fix this?
Many thanks,

Graham
Mark Renoden said:
Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under which the
Terminal Server resides.

The user configuration parts of the policy will only apply to the Users from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the OU in
which the Terminal Server resides. These settings will be the same for all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all users in
a
GPO linked to the OU in which the Terminal Server resides. Becuase the User
OU's reside under the Terminal Server OU, these settings will be inherited.

3. Apply all user configuration settings that are specific to each site
in a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are different for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.



Graham Prentice said:
Can someone tell me the proper way to set up the OU's in this
situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper
scripts
to run for each location. It appears that is I move the TS object to a
branch, it will work ok - but I only have one TS, how can it be under all
of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows the GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
Click to expand...
Click to expand...
Click to expand...
 
G

Graham Prentice

Tried disabling loopback policy, Merge mode, still nogo.
gpresult /z says sub-GPO is not being processed.
Will try again tomorrow. Thanks again.
Graham

Mark Renoden said:
Hi Graham

Turn off policy loopback. The effect of this in replace mode is that it
effectively ignores the policy which applies to the Users and only applies
the user configuration settings that apply to the server (thereby discarding
policy settings applied to the user OU's). Everything should work as you
want once you've done this.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Graham Prentice said:
Thanks for the reply Mark,
My structure has a Main OU with 5 child OUs.

The TermServ object resides in the Main OU and the user objects are in
each
respective child OUs.

I had (under the user section of GPO) a logon script adding a printer and
mapping a drive in the GPO of each child OU. They would not take affect
until I moved the TS object under one of the child OUs (as a test).

I have the impression that you must have the w/s object and the user
objects
within the OU for it to take effect. From what you're saying, things
should
inherit down - but it seems to stop where the TS object resides. What
about
the child OUs? How do you associate the users with the terminal server
that
is farther up the tree? I would assume that it would just take the user
portion of the GPO and apply it to any server you log into.

Yes, I did apply the policy loopback 'replace' - should I not? Most of
the
users will be WinXPe thin clients - they probably don't need this setting.

When I try logging in, the gpresult /z says it didn't run the child GPO.
(does work however if I move the TS object right into that child OU - but
it
doesn't help the other 4 sub- OUs)

I've got domain admins deny and associated users, domain users apply - but
still no go.

Any ideas how to fix this?
Many thanks,

Graham
Mark Renoden said:
Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under which the
Terminal Server resides.

The user configuration parts of the policy will only apply to the Users from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the OU in
which the Terminal Server resides. These settings will be the same for all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all users in
a
GPO linked to the OU in which the Terminal Server resides. Becuase the User
OU's reside under the Terminal Server OU, these settings will be inherited.

3. Apply all user configuration settings that are specific to each site
in a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are
Click to expand...
different
for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.



Can someone tell me the proper way to set up the OU's in this
situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper
scripts
to run for each location. It appears that is I move the TS object to a
branch, it will work ok - but I only have one TS, how can it be under all
of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows
Click to expand...
the
GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
Click to expand...
Click to expand...
Click to expand...
 
M

Mark Renoden [MSFT]

Hi Graham

Just to clarify how policy loopback works (which may help you sort this
out):

1. When the computer boots, the list of GPO's for the computer is gathered
based on it's location in the Active Directory. This is it's SOM or Scope
of Management. The list includes GPO's linked to OU's at each level in the
heirarchy from the OU in which the computer resides all the way up to the
domain.

2. The computer configuration settings from this list are applied to the
computer provided it has permissions to the GPO's.

3. When the user logs in, different behaviour occurs according to the policy
loopback settings:

A. Loopback off - the SOM for the user is calculated and then user
configuration settings applied according to user permissions. The location
of the user account in the AD decides entirely which user configuration
settings are applied.

B. Loopback merge mode - the SOM for the user is calculated as in A. The
user configuration settings from this SOM are applied but at a lower
precedence to the user configuration settings in the computer SOM. Once
again, user permissions allow or prevent application of these setting
regardless of whether they came from the user or computer SOM.

C. Loopback replace mode - the SOM for the user is not considered. The user
configuration settings are applied from the GPO's in the computer SOM
provided they have user permissions.

In your case, where the user OU's are children of the machine OU, you
shouldn't need loopback. Computer configuration settings would apply from
GPO's linked at the OU in which the Terminal Server resides and GPO's linked
above it. User settings would apply from GPO's linked at the OU in which
the User resides and GPO's linked above it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Graham Prentice said:
Tried disabling loopback policy, Merge mode, still nogo.
gpresult /z says sub-GPO is not being processed.
Will try again tomorrow. Thanks again.
Graham

Mark Renoden said:
Hi Graham

Turn off policy loopback. The effect of this in replace mode is that it
effectively ignores the policy which applies to the Users and only
applies
the user configuration settings that apply to the server (thereby discarding
policy settings applied to the user OU's). Everything should work as you
want once you've done this.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Graham Prentice said:
Thanks for the reply Mark,
My structure has a Main OU with 5 child OUs.

The TermServ object resides in the Main OU and the user objects are in
each
respective child OUs.

I had (under the user section of GPO) a logon script adding a printer and
mapping a drive in the GPO of each child OU. They would not take
affect
until I moved the TS object under one of the child OUs (as a test).

I have the impression that you must have the w/s object and the user
objects
within the OU for it to take effect. From what you're saying, things
should
inherit down - but it seems to stop where the TS object resides. What
about
the child OUs? How do you associate the users with the terminal server
that
is farther up the tree? I would assume that it would just take the
user
portion of the GPO and apply it to any server you log into.

Yes, I did apply the policy loopback 'replace' - should I not? Most of
the
users will be WinXPe thin clients - they probably don't need this setting.

When I try logging in, the gpresult /z says it didn't run the child
GPO.
(does work however if I move the TS object right into that child OU - but
it
doesn't help the other 4 sub- OUs)

I've got domain admins deny and associated users, domain users apply - but
still no go.

Any ideas how to fix this?
Many thanks,

Graham
Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under which the
Terminal Server resides.

The user configuration parts of the policy will only apply to the
Users
from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the OU in
which the Terminal Server resides. These settings will be the same
for
all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all users in
a
GPO linked to the OU in which the Terminal Server resides. Becuase
the
User
OU's reside under the Terminal Server OU, these settings will be
inherited.

3. Apply all user configuration settings that are specific to each
site
in
a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are different
for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.



Can someone tell me the proper way to set up the OU's in this
situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper
scripts
to run for each location. It appears that is I move the TS object
to a
branch, it will work ok - but I only have one TS, how can it be
under
all
of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows the
GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
Click to expand...
Click to expand...
Click to expand...
 
G

Graham Prentice

Thanks, Mark for a good description of the loopback processing modes.
I didn't fully understand the consequences of using loopback mode in replace
mode.

You are correct. After a night of settling in, the policies all work now
properly. You have to be patient making changes to the GPOs as they take
time to take effect. I tried telling the domain controllers to sync up and
spread the GPO words, but did not wait long enough last night.

Many thanks for your good advice,
Graham

Mark Renoden said:
Hi Graham

Just to clarify how policy loopback works (which may help you sort this
out):

1. When the computer boots, the list of GPO's for the computer is gathered
based on it's location in the Active Directory. This is it's SOM or Scope
of Management. The list includes GPO's linked to OU's at each level in the
heirarchy from the OU in which the computer resides all the way up to the
domain.

2. The computer configuration settings from this list are applied to the
computer provided it has permissions to the GPO's.

3. When the user logs in, different behaviour occurs according to the policy
loopback settings:

A. Loopback off - the SOM for the user is calculated and then user
configuration settings applied according to user permissions. The location
of the user account in the AD decides entirely which user configuration
settings are applied.

B. Loopback merge mode - the SOM for the user is calculated as in A. The
user configuration settings from this SOM are applied but at a lower
precedence to the user configuration settings in the computer SOM. Once
again, user permissions allow or prevent application of these setting
regardless of whether they came from the user or computer SOM.

C. Loopback replace mode - the SOM for the user is not considered. The user
configuration settings are applied from the GPO's in the computer SOM
provided they have user permissions.

In your case, where the user OU's are children of the machine OU, you
shouldn't need loopback. Computer configuration settings would apply from
GPO's linked at the OU in which the Terminal Server resides and GPO's linked
above it. User settings would apply from GPO's linked at the OU in which
the User resides and GPO's linked above it.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Graham Prentice said:
Tried disabling loopback policy, Merge mode, still nogo.
gpresult /z says sub-GPO is not being processed.
Will try again tomorrow. Thanks again.
Graham

Mark Renoden said:
Hi Graham

Turn off policy loopback. The effect of this in replace mode is that it
effectively ignores the policy which applies to the Users and only
applies
the user configuration settings that apply to the server (thereby discarding
policy settings applied to the user OU's). Everything should work as you
want once you've done this.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for the reply Mark,
My structure has a Main OU with 5 child OUs.

The TermServ object resides in the Main OU and the user objects are in
each
respective child OUs.

I had (under the user section of GPO) a logon script adding a printer and
mapping a drive in the GPO of each child OU. They would not take
affect
until I moved the TS object under one of the child OUs (as a test).

I have the impression that you must have the w/s object and the user
objects
within the OU for it to take effect. From what you're saying, things
should
inherit down - but it seems to stop where the TS object resides. What
about
the child OUs? How do you associate the users with the terminal server
that
is farther up the tree? I would assume that it would just take the
user
portion of the GPO and apply it to any server you log into.

Yes, I did apply the policy loopback 'replace' - should I not? Most of
the
users will be WinXPe thin clients - they probably don't need this setting.

When I try logging in, the gpresult /z says it didn't run the child
GPO.
(does work however if I move the TS object right into that child OU - but
it
doesn't help the other 4 sub- OUs)

I've got domain admins deny and associated users, domain users
Click to expand...
apply -
but
still no go.

Any ideas how to fix this?
Many thanks,

Graham
Hi Graham

Are you using policy loopback at any point?

The computer configuration parts of the policy will only apply to the
Terminal Server from the GPO's linked to the OU heirarchy under
Click to expand...
which
the
Terminal Server resides.

The user configuration parts of the policy will only apply to the
Users
from
the GPO's linked to the OU heirarchy under which the Users reside.

In this situation, you probably don't require the use of policy loopback.
May I suggest:

1. Apply all computer configuration settings in a GPO linked to the
Click to expand...
OU
in
which the Terminal Server resides. These settings will be the same
for
all
users in all sites because they apply to the server and are user
independant.

2. Apply all user configuration settings that are COMMON to all
Click to expand...
users
in
a
GPO linked to the OU in which the Terminal Server resides. Becuase
the
User
OU's reside under the Terminal Server OU, these settings will be
inherited.

3. Apply all user configuration settings that are specific to each
site
in
a
GPO linked to the relevant OU. Users in each OU will received these
specific settings.

NOTE: You cannot have computer configuration settings that are different
for
each set of Users.

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no
rights.



Can someone tell me the proper way to set up the OU's in this
situation?
We have one terminal server with users in 5 locations.
I would like each location to have it's own GPO with logon script.
The way I had it set up is Main OU with TS machine object.
Under this OU is 5 branch OU's for each location.
Looks good to me but I'm having a devil of a time getting the proper
scripts
to run for each location. It appears that is I move the TS object
to a
branch, it will work ok - but I only have one TS, how can it be
under
all
of
the 5 branches at once?
The user objects are under the branches ok - but gpresult /z shows the
GPO
doesn't run when the TS machine object isn't under the branch.
There must be a way, can somebody assist please?
Graham
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy for Terminal Server not working 2
GPO force Redirect of folders on 2003 Term Server 3
GPO Loopback Processing question 2
GPO and Terminal Servers 1
GPO not applying to child OU's 0
GPO not applied to new OU for TS 5
Low level GPO not working 1
Terminal server policy 1

Top