Group Policy not applying

[Shin.Lail@googlemail.com]

I've just installed a new DC and a new TS. I created a new OU for the
TS and created a GPO. I set the GPO to use loopback and made some
changes to the user settings. I can log in ok but the user settings
are not being applied.

Notes;
Auth Users have read and apply set
Admins have Deny
A sec group has got access to the TS. I have added relevant users to
it.

It's a fresh install but I can't see a reason why it is not working.
Any assistance is much appreciated.

 

[Vera Noest [MVP]]

Re: Group Policy not applying

Did you run the "gpupdate" command on the server?

The tool to use when policies aren't applied as you expect them to
be is Resultant Set of Policies (RSoP).
Also check the EventLog on the server and enable verbose logging of
the user environment.

250842 - Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

Shin.Lail@googlemail.com wrote on 08 okt 2007 in
microsoft.public.windows.terminal_services:

> I've just installed a new DC and a new TS. I created a new OU
> for the TS and created a GPO. I set the GPO to use loopback and
> made some changes to the user settings. I can log in ok but the
> user settings are not being applied.
>
> Notes;
> Auth Users have read and apply set
> Admins have Deny
> A sec group has got access to the TS. I have added relevant
> users to it.
>
> It's a fresh install but I can't see a reason why it is not
> working. Any assistance is much appreciated.

 

[TP]

Re: Group Policy not applying

Hi,

Add a Deny Apply Group Policy for Domain Admins
Remove the Deny entry for Administrators
Run gpupdate /force on your TS

You can use gpresult.exe on your TS to troubleshoot.

-TP

Shin.Lail@googlemail.com wrote:
> I've just installed a new DC and a new TS. I created a new OU for the
> TS and created a GPO. I set the GPO to use loopback and made some
> changes to the user settings. I can log in ok but the user settings
> are not being applied.
>
> Notes;
> Auth Users have read and apply set
> Admins have Deny
> A sec group has got access to the TS. I have added relevant users to
> it.
>
> It's a fresh install but I can't see a reason why it is not working.
> Any assistance is much appreciated.

 

[Shin.Lail@googlemail.com]

Re: Group Policy not applying

On 8 Oct, 20:54, "TP" <tperson.knowsp...@mailandnews.com> wrote:
> Hi,
>
> Add a Deny Apply Group Policy for Domain Admins
> Remove the Deny entry for Administrators
> Run gpupdate /force on your TS
>
> You can use gpresult.exe on your TS to troubleshoot.
>
> -TP
>
>
>

Thanks for the quick reply folks.

I have run gpupdate and even rebooted the servers. In fact I have even
removed the GPO and re added it, as well as removing the TS from the
domain and then rejoining it. The Event Log doesn't show any errors. I
will go through the MS document, tomorrow - I'm in the UK and it's
evening.

It appears to be running the DDP but since I have loopback I wouldn't
expect it to. I have even tried taking the loopback out and put the
block inheritance on but it still didn't apply the User settings. If I
place the user in the OU with the TS it works fine but this is not
practical as I've got users who log in locally and remotely.

Excuse my ignorance but I don't see how changing the Deny to Domain
admins will help. The users have not got Admin or domain admin rights.
If you think it will help I'll give it a go.

My GPresult details are

OS Type: Microsoft(R) Windows(R) Server 2003,
Standard Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\shin
Connected over a slow link?: No


USER SETTINGS
--------------
CN=Shin,OU=Classics Users,OU=All Users,DC=vogue,DC=local
Last time Group Policy was applied: 08/10/2007 at 12:32:58
Group Policy was applied from: 2k3server.vogue.local
Group Policy slow link threshold: 500 kbps
Domain Name: VOGUE
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Terminal Server Users

If this information lets you know where I'm going wrong. Please feel
free to point out my numptyness.

Thanks again,
Shinder

 

[Shin.Lail@googlemail.com]

Re: Group Policy not applying

>
> It appears to be running the DDP but since I have loopback I wouldn't
> expect it to. I have even tried taking the loopback out and put the
> block inheritance on but it still didn't apply the User settings.

Just realised what I wrote. Taking the loopback out will stop it
applying the User settings. Doh! It was late in the evening when I
tried that and I was tired

 

[TP]

Re: Group Policy not applying

Hi Shinder,

Loopback processing mode is a *computer* configuration
policy setting. In order for it to be applied the TS server's
computer account must have Read and Apply Group Policy
rights to the GPO. You added a Deny entry for Administrators
which blocked the computer account since it is a member
of Administrators.

-TP

Shin.Lail@googlemail.com wrote:
> Thanks for the quick reply folks.
>
> I have run gpupdate and even rebooted the servers. In fact I have even
> removed the GPO and re added it, as well as removing the TS from the
> domain and then rejoining it. The Event Log doesn't show any errors. I
> will go through the MS document, tomorrow - I'm in the UK and it's
> evening.
>
> It appears to be running the DDP but since I have loopback I wouldn't
> expect it to. I have even tried taking the loopback out and put the
> block inheritance on but it still didn't apply the User settings. If I
> place the user in the OU with the TS it works fine but this is not
> practical as I've got users who log in locally and remotely.
>
> Excuse my ignorance but I don't see how changing the Deny to Domain
> admins will help. The users have not got Admin or domain admin rights.
> If you think it will help I'll give it a go.
>
> My GPresult details are
>
> OS Type: Microsoft(R) Windows(R) Server 2003,
> Standard Edition
> OS Configuration: Member Server
> OS Version: 5.2.3790
> Terminal Server Mode: Application Server
> Site Name: N/A
> Roaming Profile:
> Local Profile: C:\Documents and Settings\shin
> Connected over a slow link?: No
>
>
> USER SETTINGS
> --------------
> CN=Shin,OU=Classics Users,OU=All Users,DC=vogue,DC=local
> Last time Group Policy was applied: 08/10/2007 at 12:32:58
> Group Policy was applied from: 2k3server.vogue.local
> Group Policy slow link threshold: 500 kbps
> Domain Name: VOGUE
> Domain Type: Windows 2000
>
> Applied Group Policy Objects
> -----------------------------
> Default Domain Policy
>
> The following GPOs were not applied because they were filtered out
>
> -------------------------------------------------------------------
> Local Group Policy
> Filtering: Not Applied (Empty)
>
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> BUILTIN\Users
> REMOTE INTERACTIVE LOGON
> NT AUTHORITY\INTERACTIVE
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> Terminal Server Users
>
> If this information lets you know where I'm going wrong. Please feel
> free to point out my numptyness.
>
> Thanks again,
> Shinder

 

[Shin.Lail@googlemail.com]

Re: Group Policy not applying

On 8 Oct, 22:31, "TP" <tperson.knowsp...@mailandnews.com> wrote:
> Hi Shinder,
>
> Loopback processing mode is a *computer* configuration
> policy setting. In order for it to be applied the TS server's
> computer account must have Read and Apply Group Policy
> rights to the GPO. You added a Deny entry for Administrators
> which blocked the computer account since it is a member
> of Administrators.
>
> -TP
>
Hi TP,

I had added the computer account with read and apply but the admin
deny setting was taking precedence. I took it out and added Deny to
Domain Admins - As you first suggested - and it worked!

Thank you very much for your help and apologies for questioning your
first answer. I bow to your superior knowledge.

Shinder

 

[TP]

Re: Group Policy not applying

Hello Shinder,

You are welcome!

I appreciate the fact that you posted back with your results.
This helps us provide better suggestions in the future as
well as helps others who are searching for possible solutions.

Note: The computer account is a member of Authenticated
Users so you should not need to add it to the the GPO's
DACL.

-TP

 

[GW]

Re: Group Policy not applying

I have applied GPO's for many TS farms. I would suugest the following.
Create a OU for your GPO, Create a OU for your TS Servers ( computer account
) link the GPO to the TS OU . Users or Groups are added to the Security tab
of the GPO.

"TP" wrote:

> Hello Shinder,
>
> You are welcome!
>
> I appreciate the fact that you posted back with your results.
> This helps us provide better suggestions in the future as
> well as helps others who are searching for possible solutions.
>
> Note: The computer account is a member of Authenticated
> Users so you should not need to add it to the the GPO's
> DACL.
>
> -TP
>