Group Policy does not take effect

G

Guest

I'm trying to create a GPO on a Win2003/Terminal Server wherein users login
to the Terminal Server and immediately launch into notepad. I'm new to Group
Policies so I'm looking for some help. I've created a TEST OU off the root
of my domain. I've created a Global Group with membership from several other
OU users located in other OUs under the root domain. The Group was then
assigned to the TEST OU. The Win2003/Terminal Server is also assigned to the
TEST OU. So, in my TEST OU , I have the Win2003/TS server and the Global
Group (with users from other OUs). I've created a GPO Link on the TEST OU
and enabled the Loopback setting in Admin Templ/Computer Config/System Group
Policy. In User Config/Admin Templ/Windows Components/Terminal Services I've
set NOTEPAD as the application in "start a program on connection". I've
also set "Allow logon through Terminal Services" in the Win2003 Local
Security Policy. But, when I login to the Terminal Server as one of the
users in the Global Group, I go to the desktop....no NOTEPAD. What am I
doing wrong? Appreciate any help I can get.
 
V

Vera Noest [MVP]

First of all: for loopback processing to work as designed (meaning
that settings apply to users *only* when they logon to the TS, not
when they logon to their workstation), your user accounts should
*not* be in the same OU as the Terminal Server machine account!

What I think you have missed is that the Terminal Server machine
account must be added to the security filtering list of the GPO.
See the last section of this article for detailed instructions:

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
 
G

Guest

This has been a frustrating experience for me. After reading the article, I
think I understand it a bit more. To make sure I do:

1. I should create a NEW OU with just the users in it....but, since my case
the users are in other OUs, will a Global Group with the users in it work?
2. Next, I should create a Terminal Server OU and "move" my TS server in it
3. Next, I should create/link a GPO on the NEW OU and then Edit the GPO
Security Filter with the TS Server computer
4. To ensure that the TS Global Group users are able to do what we want:
a. Enable the Log on using Terminal Services feature in the Local
Security Policy
b. Edit the GPO with the necessary User Config/Adm Template...desktop
settings and in LOGON
c. Enable Loopback/Replace mode


Is that about it? Also, should I delete the previously created GPO and
links? I'm not sure I want the wrong GPO lingering around.

btw....what is the difference between an ENFORCED GPO and one that is not?
After I create a GPO it appears to work without being ENFORCED.
 
V

Vera Noest [MVP]

You don't have to create a new OU for your users.

Just create a OU for your Terminal Server, let's call it TS-OU.
*ONLY* the Terminal Server machine account should be in this OU,
not the users.

Then create the TS GPO, with the loopback processing setting in it
(and everything else that you want to configure), and link this
GPO to the TS-OU.
On the security filtering of the TS GPO, add the Terminal Server
machine account + all user groups that these settings should apply
to.

What this does is the following:
A user in the above security group logs on to the TS. The Computer
Configuration part of the TS GPO is applied to the Terminal
Server, and the User Configuration part of the TS GPO is applied
to the users session. Without loopback processing, the Computer
Configuration part would be used from the TS GPO, but the User
Configuration part from any GPO that is linked to the OU which the
user account is located in would apply.

--
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*
 
G

Guest

Vera,
Thank you very much. You have been most patient and very, very helpful. I
would like to learn more about Group Policies and how to use them
effectively. Is there a webcast or Virtual lesson that Microsoft offers that
will help me? Again,...you are the best.
 
V

Vera Noest [MVP]

Thanks, Pearl, I'm glad I could help.
I'm sure that there is a lot of material about Group Policies, but
I don't have any specific links available.

Personally, I think I would buy a book about Active Directory and
Group Policies, but I'm sure that you will find tons of material if
you search Microsofts website.

There is also a micrsoft.public.windows.group_policy newsgroup,
someone there will certainly be able to give some more tips.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
___ please respond in newsgroup, NOT by private email ___
 
R

Rob S

On Wed, 22 Jun 2005 13:24:00 -0700, "Vera Noest [MVP]"

-There is also a micrsoft.public.windows.group_policy newsgroup,
-someone there will certainly be able to give some more tip

There are actually 4 group_policy newsgroups taken my my newsserver alone, which
shows what a complex area/minefield it is. I'm learning the hard way - I expect
there are MSCP courses dedicated to it though.....I find learning from MS
knowledgebase a clunky method to say the least.

regards


-Rob
robatwork at mail dot com
 
G

Guest

Hi
I am having a very similar problem to the one described here. Have 2 x
win2k servers (server a and server b)in a domain, using one (server b)as a
terminal server. In dom users and groups I created an ou called Term Serv
and moved server b into this ou. I then created a group policy for this ou
with some basic settings ie log on locally, access from network, GP loopback
(replace), and also made some changes to the user config (removed some
commands from the start button). Problem is that the policy does not apply
to the users when they log into server B via remote desktop. If I move a
user to the newly created OU then the changes do apply to that user but the
problem is that the changes also apply to their local XP PC when they log
into the domain. I want their term serv session to be affected but not their
local PC. Please help.

Jaco
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top