GPO on Terminal Server

[Guest]

Hi,

I have applied a GP on a new OU and placed a terminal server oject in the
OU. The domain is a Windows 2000 domain and the terminal server is a member
server running 2003.

The goal is to only affect users who are signing onto the terminal server.
The GP is using Loopback processing in replace mode. Authenticated users
have been given read and apply group policy access. Administrators have been
denied apply group policy access.

The problem I am having is the GP is not applied when a user signs onto the
terminal server. I varified this by running gpresults. I also noticed that
if I place a user object in the same OU the policy does apply.

What can I do to correct the problem that I am having. Any info would be
greatly appreciated.

Thanks,

Tim Heilman

 

[Bruce Sanderson]

The technique you describe seems normal - I usually use "Merge" instead of
"Replace", and put User settings into a seperate GPO, but I don't think that
should not make a difference.

I notice that the "default" permissions for Authenticated Users on my GPOs
is:
Read
Apply Group Policy
Special

The Advanced Security Settings says that the "Special" permissions are:

List Contents
Read All Properties
Read Permissions

Also, SYSTEM has:
Read
Write
Create Al l Child Objects
Delete All Child Objects
Special

The "Special" permissions appear to be all permissions except:
Full Control
All Extended Rights
Apply Group Policy

At the risk of sounding insulting, have you verified that the Loopback
setting has been applied to the server in question (e.g. restarted it, or
used gpupdate and used the GPMC RSOP Wizard)?