Terminal Services : Roaming Profiel Path in GPO

  • Thread starter Thread starter Emma
  • Start date Start date
E

Emma

Guest
Really odd situation we have

I haev created 2 pilot users and put the in there own OU with a new group.

I have created a new GPO and made changes to the CC and UC settings

CC : path to roaming profile share
UC : path to My Docs share

Now the UC GPO works and it will not read the CC GPO and redirect the
Roaming profile

I have followed the share permissions guide per
http://technet2.microsoft.com/windo...f7c9-4cf0-9131-78924af776551033.mspx?mfr=true

RSOP and it only sees it processing the my docs reditrection

I have made sure that Block Inher is at the OU above and ensured there arent
any GPO that are overiding things.

I have also made sure that ENFORCE is configured on the GPO

I have made sure the group us Rawed and Apply

Its W2K3 with SP2

Any ideas?

KP
 
Re: Terminal Services : Roaming Profiel Path in GPO

If I understand you correctly, then you have created a single GPO
with both Computer and User Configuration settings, and linked that
GPO to an OU which contains the user account. Only the User
Configuration settings are applied when the user logs on.

This is by design.
When a user logs on to a machine (client or TS), then 2 GPOs (at
least) are applied:
1. the Computer Configuration part of the GPO linked to the OU
which contains the computer account
2. the User Configuration part of the GPO linked to the OU which
contains the user account.

The solution to this problem is to use "loopback processing" of the
GPO, which ensure that both Computer Configuration and User
Configuration settings are used from the GPO which is linked to the
OU which contains the *computer* account.

Assuming that this is about applying a GPO to users who logon to a
Terminal Server, this is how it is done:

1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
http://support.microsoft.com/?kbid=231287
4. link the GPO to the OU which contains the Terminal Server
machine account
5. modify the rights for Administrators on the GPO: select "Deny"
for the right to "Apply this policy" (see KB 816100)
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05
nov 2007 in microsoft.public.windows.terminal_services:

> Really odd situation we have
>
> I haev created 2 pilot users and put the in there own OU with a
> new group.
>
> I have created a new GPO and made changes to the CC and UC
> settings
>
> CC : path to roaming profile share
> UC : path to My Docs share
>
> Now the UC GPO works and it will not read the CC GPO and
> redirect the Roaming profile
>
> I have followed the share permissions guide per
> http://technet2.microsoft.com/windowsserver/en/library/20b15453-f
> 7c9-4cf0-9131-78924af776551033.mspx?mfr=true
>
> RSOP and it only sees it processing the my docs reditrection
>
> I have made sure that Block Inher is at the OU above and ensured
> there arent any GPO that are overiding things.
>
> I have also made sure that ENFORCE is configured on the GPO
>
> I have made sure the group us Rawed and Apply
>
> Its W2K3 with SP2
>
> Any ideas?
>
> KP
 
Re: Terminal Services : Roaming Profiel Path in GPO

Vera

Many thanks for the concise explanation!!

This is what I have done since the post

I have a OU which has my 2 Terminal Servers in there

I created a GPO1 which only had the Roaming Profile redirection and then
applied it to the OU which had my TS servers

I then created GPO2 and linked that to the User OU.

So basically, one OU has CC GPO and the other user OU has the User COnfig
settings. I think ensured there was Block Inheritance and they didnt work.

Am I correct in assuming, base don what you had said, that the GPO for the
TS OU needs the Roaming profile redirection as well as Loopback processing?
Is there anything else?

Em

"Vera Noest [MVP]" wrote:

> If I understand you correctly, then you have created a single GPO
> with both Computer and User Configuration settings, and linked that
> GPO to an OU which contains the user account. Only the User
> Configuration settings are applied when the user logs on.
>
> This is by design.
> When a user logs on to a machine (client or TS), then 2 GPOs (at
> least) are applied:
> 1. the Computer Configuration part of the GPO linked to the OU
> which contains the computer account
> 2. the User Configuration part of the GPO linked to the OU which
> contains the user account.
>
> The solution to this problem is to use "loopback processing" of the
> GPO, which ensure that both Computer Configuration and User
> Configuration settings are used from the GPO which is linked to the
> OU which contains the *computer* account.
>
> Assuming that this is about applying a GPO to users who logon to a
> Terminal Server, this is how it is done:
>
> 1. place the Terminal Server (not the users!) in a separate OU
> 2. create a TS-specific GPO
> 3. configure the GPO to use "loopback processing" with the
> "Replace" option (see KB 231287)
> http://support.microsoft.com/?kbid=231287
> 4. link the GPO to the OU which contains the Terminal Server
> machine account
> 5. modify the rights for Administrators on the GPO: select "Deny"
> for the right to "Apply this policy" (see KB 816100)
> http://support.microsoft.com/?kbid=816100
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05
> nov 2007 in microsoft.public.windows.terminal_services:
>
> > Really odd situation we have
> >
> > I haev created 2 pilot users and put the in there own OU with a
> > new group.
> >
> > I have created a new GPO and made changes to the CC and UC
> > settings
> >
> > CC : path to roaming profile share
> > UC : path to My Docs share
> >
> > Now the UC GPO works and it will not read the CC GPO and
> > redirect the Roaming profile
> >
> > I have followed the share permissions guide per
> > http://technet2.microsoft.com/windowsserver/en/library/20b15453-f
> > 7c9-4cf0-9131-78924af776551033.mspx?mfr=true
> >
> > RSOP and it only sees it processing the my docs reditrection
> >
> > I have made sure that Block Inher is at the OU above and ensured
> > there arent any GPO that are overiding things.
> >
> > I have also made sure that ENFORCE is configured on the GPO
> >
> > I have made sure the group us Rawed and Apply
> >
> > Its W2K3 with SP2
> >
> > Any ideas?
> >
> > KP
>
 
Re: Terminal Services : Roaming Profiel Path in GPO

If you want the redirection of the My Documents folder (a User
Configuration setting) to apply to users, irrespective if they
logon to their workstation or the TS, then you can use a setup as
you have now and don't need loopback processing. In that case, you
ause the normal GPO application rules.

But in many cases, you want to lock down a user with user
Configuration settings) when they logon to a TS, but not when they
logon to their workstation. In such cases, you need to enable
loopback processing in the GPO which is lined to the TS OU and link
all lockdown GPOs to this TS OU as well.

If you don't see any effect of the recent changes you made to the
GPOs, run gpupdate on the TS to refresh the GPO.
I see no reason for Block Inheritance, unless you have a GPO higher
up in the hierarchy which you want to block.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05
nov 2007 in microsoft.public.windows.terminal_services:

> Vera
>
> Many thanks for the concise explanation!!
>
> This is what I have done since the post
>
> I have a OU which has my 2 Terminal Servers in there
>
> I created a GPO1 which only had the Roaming Profile redirection
> and then applied it to the OU which had my TS servers
>
> I then created GPO2 and linked that to the User OU.
>
> So basically, one OU has CC GPO and the other user OU has the
> User COnfig settings. I think ensured there was Block
> Inheritance and they didnt work.
>
> Am I correct in assuming, base don what you had said, that the
> GPO for the TS OU needs the Roaming profile redirection as well
> as Loopback processing? Is there anything else?
>
> Em
>
> "Vera Noest [MVP]" wrote:
>
>> If I understand you correctly, then you have created a single
>> GPO with both Computer and User Configuration settings, and
>> linked that GPO to an OU which contains the user account. Only
>> the User Configuration settings are applied when the user logs
>> on.
>>
>> This is by design.
>> When a user logs on to a machine (client or TS), then 2 GPOs
>> (at least) are applied:
>> 1. the Computer Configuration part of the GPO linked to the OU
>> which contains the computer account
>> 2. the User Configuration part of the GPO linked to the OU
>> which contains the user account.
>>
>> The solution to this problem is to use "loopback processing" of
>> the GPO, which ensure that both Computer Configuration and User
>> Configuration settings are used from the GPO which is linked to
>> the OU which contains the *computer* account.
>>
>> Assuming that this is about applying a GPO to users who logon
>> to a Terminal Server, this is how it is done:
>>
>> 1. place the Terminal Server (not the users!) in a separate OU
>> 2. create a TS-specific GPO
>> 3. configure the GPO to use "loopback processing" with the
>> "Replace" option (see KB 231287)
>> http://support.microsoft.com/?kbid=231287
>> 4. link the GPO to the OU which contains the Terminal Server
>> machine account
>> 5. modify the rights for Administrators on the GPO: select
>> "Deny" for the right to "Apply this policy" (see KB 816100)
>> http://support.microsoft.com/?kbid=816100
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on
>> 05 nov 2007 in microsoft.public.windows.terminal_services:
>>
>> > Really odd situation we have
>> >
>> > I haev created 2 pilot users and put the in there own OU with
>> > a new group.
>> >
>> > I have created a new GPO and made changes to the CC and UC
>> > settings
>> >
>> > CC : path to roaming profile share
>> > UC : path to My Docs share
>> >
>> > Now the UC GPO works and it will not read the CC GPO and
>> > redirect the Roaming profile
>> >
>> > I have followed the share permissions guide per
>> > http://technet2.microsoft.com/windowsserver/en/library/20b1545
>> > 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true
>> >
>> > RSOP and it only sees it processing the my docs reditrection
>> >
>> > I have made sure that Block Inher is at the OU above and
>> > ensured there arent any GPO that are overiding things.
>> >
>> > I have also made sure that ENFORCE is configured on the GPO
>> >
>> > I have made sure the group us Rawed and Apply
>> >
>> > Its W2K3 with SP2
>> >
>> > Any ideas?
>> >
>> > KP
 
Re: Terminal Services : Roaming Profiel Path in GPO

Vera

This is what I did

On the OU which has my TS I created a new GPO and enabled Loopback and also
the TS Roaming Profile Path. I disabled the application of the User Config
and ensured the user group for the Users had READ and APPLY on that policy

Logged back in, but still no avail.....have I missed something?

s there a step where I put the TS Servers in another Group and need to ensre
its THAT group that has Read and Apply to the policy?

"Vera Noest [MVP]" wrote:

> If you want the redirection of the My Documents folder (a User
> Configuration setting) to apply to users, irrespective if they
> logon to their workstation or the TS, then you can use a setup as
> you have now and don't need loopback processing. In that case, you
> ause the normal GPO application rules.
>
> But in many cases, you want to lock down a user with user
> Configuration settings) when they logon to a TS, but not when they
> logon to their workstation. In such cases, you need to enable
> loopback processing in the GPO which is lined to the TS OU and link
> all lockdown GPOs to this TS OU as well.
>
> If you don't see any effect of the recent changes you made to the
> GPOs, run gpupdate on the TS to refresh the GPO.
> I see no reason for Block Inheritance, unless you have a GPO higher
> up in the hierarchy which you want to block.
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05
> nov 2007 in microsoft.public.windows.terminal_services:
>
> > Vera
> >
> > Many thanks for the concise explanation!!
> >
> > This is what I have done since the post
> >
> > I have a OU which has my 2 Terminal Servers in there
> >
> > I created a GPO1 which only had the Roaming Profile redirection
> > and then applied it to the OU which had my TS servers
> >
> > I then created GPO2 and linked that to the User OU.
> >
> > So basically, one OU has CC GPO and the other user OU has the
> > User COnfig settings. I think ensured there was Block
> > Inheritance and they didnt work.
> >
> > Am I correct in assuming, base don what you had said, that the
> > GPO for the TS OU needs the Roaming profile redirection as well
> > as Loopback processing? Is there anything else?
> >
> > Em
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> If I understand you correctly, then you have created a single
> >> GPO with both Computer and User Configuration settings, and
> >> linked that GPO to an OU which contains the user account. Only
> >> the User Configuration settings are applied when the user logs
> >> on.
> >>
> >> This is by design.
> >> When a user logs on to a machine (client or TS), then 2 GPOs
> >> (at least) are applied:
> >> 1. the Computer Configuration part of the GPO linked to the OU
> >> which contains the computer account
> >> 2. the User Configuration part of the GPO linked to the OU
> >> which contains the user account.
> >>
> >> The solution to this problem is to use "loopback processing" of
> >> the GPO, which ensure that both Computer Configuration and User
> >> Configuration settings are used from the GPO which is linked to
> >> the OU which contains the *computer* account.
> >>
> >> Assuming that this is about applying a GPO to users who logon
> >> to a Terminal Server, this is how it is done:
> >>
> >> 1. place the Terminal Server (not the users!) in a separate OU
> >> 2. create a TS-specific GPO
> >> 3. configure the GPO to use "loopback processing" with the
> >> "Replace" option (see KB 231287)
> >> http://support.microsoft.com/?kbid=231287
> >> 4. link the GPO to the OU which contains the Terminal Server
> >> machine account
> >> 5. modify the rights for Administrators on the GPO: select
> >> "Deny" for the right to "Apply this policy" (see KB 816100)
> >> http://support.microsoft.com/?kbid=816100
> >>
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on
> >> 05 nov 2007 in microsoft.public.windows.terminal_services:
> >>
> >> > Really odd situation we have
> >> >
> >> > I haev created 2 pilot users and put the in there own OU with
> >> > a new group.
> >> >
> >> > I have created a new GPO and made changes to the CC and UC
> >> > settings
> >> >
> >> > CC : path to roaming profile share
> >> > UC : path to My Docs share
> >> >
> >> > Now the UC GPO works and it will not read the CC GPO and
> >> > redirect the Roaming profile
> >> >
> >> > I have followed the share permissions guide per
> >> > http://technet2.microsoft.com/windowsserver/en/library/20b1545
> >> > 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true
> >> >
> >> > RSOP and it only sees it processing the my docs reditrection
> >> >
> >> > I have made sure that Block Inher is at the OU above and
> >> > ensured there arent any GPO that are overiding things.
> >> >
> >> > I have also made sure that ENFORCE is configured on the GPO
> >> >
> >> > I have made sure the group us Rawed and Apply
> >> >
> >> > Its W2K3 with SP2
> >> >
> >> > Any ideas?
> >> >
> >> > KP
>
 
Re: Terminal Services : Roaming Profiel Path in GPO

Did you remove the "Authenticated Users" group from the security
filtering of the GPO? If so, you have to add the Terminal Server
machine account to the security filtering, also with read and
execute rights.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 06
nov 2007 in microsoft.public.windows.terminal_services:

> Vera
>
> This is what I did
>
> On the OU which has my TS I created a new GPO and enabled
> Loopback and also the TS Roaming Profile Path. I disabled the
> application of the User Config and ensured the user group for
> the Users had READ and APPLY on that policy
>
> Logged back in, but still no avail.....have I missed something?
>
> s there a step where I put the TS Servers in another Group and
> need to ensre its THAT group that has Read and Apply to the
> policy?
>
> "Vera Noest [MVP]" wrote:
>
>> If you want the redirection of the My Documents folder (a User
>> Configuration setting) to apply to users, irrespective if they
>> logon to their workstation or the TS, then you can use a setup
>> as you have now and don't need loopback processing. In that
>> case, you ause the normal GPO application rules.
>>
>> But in many cases, you want to lock down a user with user
>> Configuration settings) when they logon to a TS, but not when
>> they logon to their workstation. In such cases, you need to
>> enable loopback processing in the GPO which is lined to the TS
>> OU and link all lockdown GPOs to this TS OU as well.
>>
>> If you don't see any effect of the recent changes you made to
>> the GPOs, run gpupdate on the TS to refresh the GPO.
>> I see no reason for Block Inheritance, unless you have a GPO
>> higher up in the hierarchy which you want to block.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on
>> 05 nov 2007 in microsoft.public.windows.terminal_services:
>>
>> > Vera
>> >
>> > Many thanks for the concise explanation!!
>> >
>> > This is what I have done since the post
>> >
>> > I have a OU which has my 2 Terminal Servers in there
>> >
>> > I created a GPO1 which only had the Roaming Profile
>> > redirection and then applied it to the OU which had my TS
>> > servers
>> >
>> > I then created GPO2 and linked that to the User OU.
>> >
>> > So basically, one OU has CC GPO and the other user OU has the
>> > User COnfig settings. I think ensured there was Block
>> > Inheritance and they didnt work.
>> >
>> > Am I correct in assuming, base don what you had said, that
>> > the GPO for the TS OU needs the Roaming profile redirection
>> > as well as Loopback processing? Is there anything else?
>> >
>> > Em
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> If I understand you correctly, then you have created a
>> >> single GPO with both Computer and User Configuration
>> >> settings, and linked that GPO to an OU which contains the
>> >> user account. Only the User Configuration settings are
>> >> applied when the user logs on.
>> >>
>> >> This is by design.
>> >> When a user logs on to a machine (client or TS), then 2 GPOs
>> >> (at least) are applied:
>> >> 1. the Computer Configuration part of the GPO linked to the
>> >> OU which contains the computer account
>> >> 2. the User Configuration part of the GPO linked to the OU
>> >> which contains the user account.
>> >>
>> >> The solution to this problem is to use "loopback processing"
>> >> of the GPO, which ensure that both Computer Configuration
>> >> and User Configuration settings are used from the GPO which
>> >> is linked to the OU which contains the *computer* account.
>> >>
>> >> Assuming that this is about applying a GPO to users who
>> >> logon to a Terminal Server, this is how it is done:
>> >>
>> >> 1. place the Terminal Server (not the users!) in a separate
>> >> OU 2. create a TS-specific GPO
>> >> 3. configure the GPO to use "loopback processing" with the
>> >> "Replace" option (see KB 231287)
>> >> http://support.microsoft.com/?kbid=231287
>> >> 4. link the GPO to the OU which contains the Terminal Server
>> >> machine account
>> >> 5. modify the rights for Administrators on the GPO: select
>> >> "Deny" for the right to "Apply this policy" (see KB 816100)
>> >> http://support.microsoft.com/?kbid=816100
>> >>
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote
>> >> on 05 nov 2007 in
>> >> microsoft.public.windows.terminal_services:
>> >>
>> >> > Really odd situation we have
>> >> >
>> >> > I haev created 2 pilot users and put the in there own OU
>> >> > with a new group.
>> >> >
>> >> > I have created a new GPO and made changes to the CC and UC
>> >> > settings
>> >> >
>> >> > CC : path to roaming profile share
>> >> > UC : path to My Docs share
>> >> >
>> >> > Now the UC GPO works and it will not read the CC GPO and
>> >> > redirect the Roaming profile
>> >> >
>> >> > I have followed the share permissions guide per
>> >> > http://technet2.microsoft.com/windowsserver/en/library/20b1
>> >> > 545 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true
>> >> >
>> >> > RSOP and it only sees it processing the my docs
>> >> > reditrection
>> >> >
>> >> > I have made sure that Block Inher is at the OU above and
>> >> > ensured there arent any GPO that are overiding things.
>> >> >
>> >> > I have also made sure that ENFORCE is configured on the
>> >> > GPO
>> >> >
>> >> > I have made sure the group us Rawed and Apply
>> >> >
>> >> > Its W2K3 with SP2
>> >> >
>> >> > Any ideas?
>> >> >
>> >> > KP
 

Similar threads

N
Roaming Profile Files and redirected folders Disappear
Replies
0
Views
217
Ngoug
N
J
Windows 10 Mandatory Roaming User profiles
Replies
0
Views
194
Justin Schneider
J
B
Windows 10 Guide for deploying a custom start layout with GPO (works in Win10 1803)
Replies
0
Views
174
BFRD Gary
B
D
OU GPO - Problem setting TS Profile Path for users under a specifi
Replies
8
Views
581
Vera Noest [MVP]
V
M
Removing roaming profiles
Replies
3
Views
208
Lanwench [MVP - Exchange]
L
Back
Top