Loopback process doesn't work

  • Thread starter Thread starter nicolas29
  • Start date Start date
N

nicolas29

Guest
hey

i have a TSE 2000
i create a ou name TSE, i put my SERVER in this OU

i make a gpo on this OU with loopback process, and on user configuration for
logon script i make a special script

but i does'nt work

when a user connect to the GPO apply to tho OU TSE

i don't understand, because i make the same on a other company (but with
TSE2003) and it work very well

I make this tests :
- delete the OU and recreate
- delete the GPO and recreate

.....snif help
nt
 
RE: Loopback process doesn't work

Did you check with RSOP if the policy is applied?

"nicolas29" wrote:

> hey
>
> i have a TSE 2000
> i create a ou name TSE, i put my SERVER in this OU
>
> i make a gpo on this OU with loopback process, and on user configuration for
> logon script i make a special script
>
> but i does'nt work
>
> when a user connect to the GPO apply to tho OU TSE
>
> i don't understand, because i make the same on a other company (but with
> TSE2003) and it work very well
>
> I make this tests :
> - delete the OU and recreate
> - delete the GPO and recreate
>
> ....snif help
> nt
 
RE: Loopback process doesn't work

Best Practice for applying Settings to Users only when they log on to
Terminal Servers would be to:

1. Create an OU to contain a set of Terminal Servers

2. Block Policy Inheritance on the OU (Properties -> Group Policy). This
prevents settings from higher-up in AD from affecting your Terminal Servers.

3. Move the Terminal Server Computer Objects into the OU. Do NOT place User
Accounts in this OU.

4. Create an Active Directory Security Group called “Terminal Servers” (or
something similar that you’ll recognize) and add the Terminal Servers from
this OU to this group.

5. Create a GPO called “TS Machine Policy” linked to the OU

6. Check “Disable User Configuration settings” on the GPO

7. Enable Loopback Policy Processing in the GPO

8. Edit the Security of the Policy so Apply Policy is set for “Authenticated
Users” and the Security Group containing the Terminal Servers

9. Create additional GPOs linked to this OU for each user population, i.e.
“TS Users”, “TS Administrators”.

10. Check “Disable Computer Configuration settings” on these GPO

11. Edit the Security on these User Configuration GPOs so Apply Policy is
enabled for the target user population, and Deny Apply Policy is enabled for
user to which the policy should not apply.

With GPOs configured this way the Machine Policy applies to everyone that
logs on to the Terminal Server (only the Computer Configuration Settings of
the Machine Policy are processed) in addition to the appropriate User
Configuration GPO (only the User Configuration portion of the GPO is
processed) for the target user population.

--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"Bart Van Vugt" wrote:

> Did you check with RSOP if the policy is applied?
>
> "nicolas29" wrote:
>
> > hey
> >
> > i have a TSE 2000
> > i create a ou name TSE, i put my SERVER in this OU
> >
> > i make a gpo on this OU with loopback process, and on user configuration for
> > logon script i make a special script
> >
> > but i does'nt work
> >
> > when a user connect to the GPO apply to tho OU TSE
> >
> > i don't understand, because i make the same on a other company (but with
> > TSE2003) and it work very well
> >
> > I make this tests :
> > - delete the OU and recreate
> > - delete the GPO and recreate
> >
> > ....snif help
> > nt
 
RE: Loopback process doesn't work

hello
bart if i don't make a mistake i cannot make RSOP on a tse 2000 only for
2003 or xp ?

patrick, thanks for the details but after 3 hours it doesn't work

here that i do with my informations

1. Create an OU to contain a set of Terminal Servers
nt :ok

2. Block Policy Inheritance on the OU (Properties -> Group Policy). This
nt: ok
3. Move the Terminal Server Computer Objects into the OU. Do NOT place User
Accounts in this OU.
nt: ok

4. Create an Active Directory Security Group called “Terminal Servers” (or
something similar that you’ll recognize) and add the Terminal Servers from
this OU to this group.
nt: i make a gloal security group name GG TSE and add into the tse

5. Create a GPO called “TS Machine Policy” linked to the OU
nt: ok
6. Check “Disable User Configuration settings” on the GPO
nt: ok
7. Enable Loopback Policy Processing in the GPO
nt: ok
8. Edit the Security of the Policy so Apply Policy is set for “Authenticated
> Users” and the Security Group containing the Terminal Servers
nt: ok

9. Create additional GPOs linked to this OU for each user population, i.e.
> “TS Users”, “TS Administrators”.
nt : ok i make a 2nd gpo name script tse
> 10. Check “Disable Computer Configuration settings” on these GPO
nt: ok
> 11. Edit the Security on these User Configuration GPOs so Apply Policy is
> enabled for the target user population, and Deny Apply Policy is enabled for
> user to which the policy should not apply.

nt: as i want that user on tse have a logon script, i put a logon script on
the user configuration of the script tse gpo, is it the good place

my script don't apply (it is just a map, if i test it in the user session by
double clik it works, but not by gpo)

thanks can you explain where i make a mistake if i want that a specific
script apply when user connect on tse

good days nicolas
 
RE: Loopback process doesn't work

Dear Customer,

Thanks for your posting here and Patrick Rouse and Bart Van's for your
kind response.

Please check the following:

1) Please check whether the Loopback setting and the logon script setting
have been applied. You can run RSOP.MSC on the Terminal session to verify
it.

Note: RSOP is not availble on Windows 2000 computer. You can run the
following command:

GPRESULT /V >C:\gpresult.txt

Please let me know the result.

2) As a test, please create a user account and put it in the same OU where
the Terminal server locates. Please log on the Terminal server with this
new the user to see if the script applies.

3) Please help collect a debugging mode of Userenv log.

For detailed steps, please refer to:

221833 How to enable user environment debug logging in retail builds of
Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

You can send the files to me at v-morche@microsoft.com (please include
"41115895-Loopback process doesn't work" in the subject line).

I am looking forward to your feedback. If anything is unclear, please be
free to post back and I am happy to be of further assistance.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
RE: Loopback process doesn't work

Assuming your policy has replicated, the user GPO settings should apply at
the next logon, and computer GPO settings should apply after the next reboot,
as the computer settings apply when the Server's AD Account logs onto AD,
before the GINA is accessible.

I have successfully used the steps I listed in every implementation I've
done for several years, so they are battle tested on dozens of clients.


--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"nicolas29" wrote:

> hello
> bart if i don't make a mistake i cannot make RSOP on a tse 2000 only for
> 2003 or xp ?
>
> patrick, thanks for the details but after 3 hours it doesn't work
>
> here that i do with my informations
>
> 1. Create an OU to contain a set of Terminal Servers
> nt :ok
>
> 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This
> nt: ok
> 3. Move the Terminal Server Computer Objects into the OU. Do NOT place User
> Accounts in this OU.
> nt: ok
>
> 4. Create an Active Directory Security Group called “Terminal Servers” (or
> something similar that you’ll recognize) and add the Terminal Servers from
> this OU to this group.
> nt: i make a gloal security group name GG TSE and add into the tse
>
> 5. Create a GPO called “TS Machine Policy” linked to the OU
> nt: ok
> 6. Check “Disable User Configuration settings” on the GPO
> nt: ok
> 7. Enable Loopback Policy Processing in the GPO
> nt: ok
> 8. Edit the Security of the Policy so Apply Policy is set for “Authenticated
> > Users” and the Security Group containing the Terminal Servers
> nt: ok
>
> 9. Create additional GPOs linked to this OU for each user population, i.e.
> > “TS Users”, “TS Administrators”.
> nt : ok i make a 2nd gpo name script tse
> > 10. Check “Disable Computer Configuration settings” on these GPO
> nt: ok
> > 11. Edit the Security on these User Configuration GPOs so Apply Policy is
> > enabled for the target user population, and Deny Apply Policy is enabled for
> > user to which the policy should not apply.
>
> nt: as i want that user on tse have a logon script, i put a logon script on
> the user configuration of the script tse gpo, is it the good place
>
> my script don't apply (it is just a map, if i test it in the user session by
> double clik it works, but not by gpo)
>
> thanks can you explain where i make a mistake if i want that a specific
> script apply when user connect on tse
>
> good days nicolas
 
RE: Loopback process doesn't work

thanks you too

before restarting my server (because it is in production), can you just
confime me where i does put the special script for a user logon on the tse ?
on the GPO who have the loopback parameter modify or on a new gpo

and on which section (user or computer configuration ):

for me i think it is on a new gpo and on the user section, thanks for your
answers

nicolas
--
nt


"Morgan che(MSFT)" wrote:

> Dear Customer,
>
> Thanks for your posting here and Patrick Rouse and Bart Van's for your
> kind response.
>
> Please check the following:
>
> 1) Please check whether the Loopback setting and the logon script setting
> have been applied. You can run RSOP.MSC on the Terminal session to verify
> it.
>
> Note: RSOP is not availble on Windows 2000 computer. You can run the
> following command:
>
> GPRESULT /V >C:\gpresult.txt
>
> Please let me know the result.
>
> 2) As a test, please create a user account and put it in the same OU where
> the Terminal server locates. Please log on the Terminal server with this
> new the user to see if the script applies.
>
> 3) Please help collect a debugging mode of Userenv log.
>
> For detailed steps, please refer to:
>
> 221833 How to enable user environment debug logging in retail builds of
> Windows
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
>
> You can send the files to me at v-morche@microsoft.com (please include
> "41115895-Loopback process doesn't work" in the subject line).
>
> I am looking forward to your feedback. If anything is unclear, please be
> free to post back and I am happy to be of further assistance.
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
 
RE: Loopback process doesn't work

The GPOs are set in the user GPO, so you can have different logon/logoff
scripts based upon group membership (as you can have different user GPOs on
the same OU). Settings in the machine/computer GPO apply to everyone.

--
Patrick C. Rouse
Microsoft MVP - Terminal Server
Provision Networks VIP
Citrix Technology Professional
President - Session Computing Solutions, LLC
http://www.sessioncomputing.com



"nicolas29" wrote:

> thanks you too
>
> before restarting my server (because it is in production), can you just
> confime me where i does put the special script for a user logon on the tse ?
> on the GPO who have the loopback parameter modify or on a new gpo
>
> and on which section (user or computer configuration ):
>
> for me i think it is on a new gpo and on the user section, thanks for your
> answers
>
> nicolas
> --
> nt
>
>
> "Morgan che(MSFT)" wrote:
>
> > Dear Customer,
> >
> > Thanks for your posting here and Patrick Rouse and Bart Van's for your
> > kind response.
> >
> > Please check the following:
> >
> > 1) Please check whether the Loopback setting and the logon script setting
> > have been applied. You can run RSOP.MSC on the Terminal session to verify
> > it.
> >
> > Note: RSOP is not availble on Windows 2000 computer. You can run the
> > following command:
> >
> > GPRESULT /V >C:\gpresult.txt
> >
> > Please let me know the result.
> >
> > 2) As a test, please create a user account and put it in the same OU where
> > the Terminal server locates. Please log on the Terminal server with this
> > new the user to see if the script applies.
> >
> > 3) Please help collect a debugging mode of Userenv log.
> >
> > For detailed steps, please refer to:
> >
> > 221833 How to enable user environment debug logging in retail builds of
> > Windows
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
> >
> > You can send the files to me at v-morche@microsoft.com (please include
> > "41115895-Loopback process doesn't work" in the subject line).
> >
> > I am looking forward to your feedback. If anything is unclear, please be
> > free to post back and I am happy to be of further assistance.
> >
> > Sincerely
> > Morgan Che
> > Microsoft Online Support
> > Microsoft Global Technical Support Center
> >
> > Get Secure! - www.microsoft.com/security
> > =====================================================
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> >
 
RE: Loopback process doesn't work

as i cannot restart my server, i m testing on a vm machine, before

i give you feedback soon

thanks nicolas
--
nt


"Patrick Rouse" wrote:

> The GPOs are set in the user GPO, so you can have different logon/logoff
> scripts based upon group membership (as you can have different user GPOs on
> the same OU). Settings in the machine/computer GPO apply to everyone.
>
> --
> Patrick C. Rouse
> Microsoft MVP - Terminal Server
> Provision Networks VIP
> Citrix Technology Professional
> President - Session Computing Solutions, LLC
> http://www.sessioncomputing.com
>
>
>
> "nicolas29" wrote:
>
> > thanks you too
> >
> > before restarting my server (because it is in production), can you just
> > confime me where i does put the special script for a user logon on the tse ?
> > on the GPO who have the loopback parameter modify or on a new gpo
> >
> > and on which section (user or computer configuration ):
> >
> > for me i think it is on a new gpo and on the user section, thanks for your
> > answers
> >
> > nicolas
> > --
> > nt
> >
> >
> > "Morgan che(MSFT)" wrote:
> >
> > > Dear Customer,
> > >
> > > Thanks for your posting here and Patrick Rouse and Bart Van's for your
> > > kind response.
> > >
> > > Please check the following:
> > >
> > > 1) Please check whether the Loopback setting and the logon script setting
> > > have been applied. You can run RSOP.MSC on the Terminal session to verify
> > > it.
> > >
> > > Note: RSOP is not availble on Windows 2000 computer. You can run the
> > > following command:
> > >
> > > GPRESULT /V >C:\gpresult.txt
> > >
> > > Please let me know the result.
> > >
> > > 2) As a test, please create a user account and put it in the same OU where
> > > the Terminal server locates. Please log on the Terminal server with this
> > > new the user to see if the script applies.
> > >
> > > 3) Please help collect a debugging mode of Userenv log.
> > >
> > > For detailed steps, please refer to:
> > >
> > > 221833 How to enable user environment debug logging in retail builds of
> > > Windows
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
> > >
> > > You can send the files to me at v-morche@microsoft.com (please include
> > > "41115895-Loopback process doesn't work" in the subject line).
> > >
> > > I am looking forward to your feedback. If anything is unclear, please be
> > > free to post back and I am happy to be of further assistance.
> > >
> > > Sincerely
> > > Morgan Che
> > > Microsoft Online Support
> > > Microsoft Global Technical Support Center
> > >
> > > Get Secure! - www.microsoft.com/security
> > > =====================================================
> > > When responding to posts, please "Reply to Group" via your newsreader so
> > > that others may learn and benefit from your issue.
> > > =====================================================
> > > This posting is provided "AS IS" with no warranties, and confers no rights.
> > >
> > >
> > >
 
RE: Loopback process doesn't work

Dear Customer,

Thank you for your e-mail, and I appreciate that you take the time to
collect the information.

When viewing your log files and the captured screen, I noticed it's not a
English version Windows Operation System.

As this issue needs specific analysis on log files, I would like to suggest
that you post the problem in the appropriate newsgroup to ensure that you
are best served by the most suitable engineers. Also, the engineers there
are experienced in troubleshooting localized version products. I believe
that the problem will be resolved soon. Although we would try our best to
assist you here, for support for localized versions it would be best to use
the support resources appropriate to that language.

(For example, for French version of Windows Terminal issues, you may post
in microsoft.public.fr.windows.server.terminalserver.)
Thanks for your understanding.

Anyway, I am also happy to share some basic suggestion based on the English
part of the information you help collected.

After I view your userenv log and gpresult text, my investigation is as
below:

The user FC applied Logon scripts of OCA ITINERANT Group Policy instead of
what you expected. Additionally, I haven't found any records about loopback
Group Policy.

So, I would suggest you to directly change the registry key to enable Group
Policy Loopback on your Terminal server:

Key Name: HKLM\Software\Policies\Microsoft\Windows\System
Value Name: UserPolicyMode

0 - Normal Mode (no loopback)
1 - Merge Mode
2 - Replace Mode

For the difference between Merge Mode and replace Mode, I also list here
for your reference:

Merge Mode:
In this mode, when the user logs on, the user's list of GPOs is typically
gathered by using the GetGPOList function. The GetGPOList function is then
called again by using the computer's location in Active Directory. The list
of GPOs for the computer is then added to the end of the GPOs for the user.
This causes the computer's GPOs to have higher precedence than the user's
GPOs. In this example, the list of GPOs for the computer is added to the
user's list.


Replace Mode:
In this mode, the user's list of GPOs is not gathered. Only the list of
GPOs based on the computer object is used.

I hope this helps. Have a good day!

Thanks and regards,

Morgan Che

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
RE: Loopback process doesn't work

salut

thanks for your answers, it was very usefull

i make it on my test server, and it works


thanks a lot

--
nt


"Morgan che(MSFT)" wrote:

> Dear Customer,
>
> Thank you for your e-mail, and I appreciate that you take the time to
> collect the information.
>
> When viewing your log files and the captured screen, I noticed it's not a
> English version Windows Operation System.
>
> As this issue needs specific analysis on log files, I would like to suggest
> that you post the problem in the appropriate newsgroup to ensure that you
> are best served by the most suitable engineers. Also, the engineers there
> are experienced in troubleshooting localized version products. I believe
> that the problem will be resolved soon. Although we would try our best to
> assist you here, for support for localized versions it would be best to use
> the support resources appropriate to that language.
>
> (For example, for French version of Windows Terminal issues, you may post
> in microsoft.public.fr.windows.server.terminalserver.)
> Thanks for your understanding.
>
> Anyway, I am also happy to share some basic suggestion based on the English
> part of the information you help collected.
>
> After I view your userenv log and gpresult text, my investigation is as
> below:
>
> The user FC applied Logon scripts of OCA ITINERANT Group Policy instead of
> what you expected. Additionally, I haven't found any records about loopback
> Group Policy.
>
> So, I would suggest you to directly change the registry key to enable Group
> Policy Loopback on your Terminal server:
>
> Key Name: HKLM\Software\Policies\Microsoft\Windows\System
> Value Name: UserPolicyMode
>
> 0 - Normal Mode (no loopback)
> 1 - Merge Mode
> 2 - Replace Mode
>
> For the difference between Merge Mode and replace Mode, I also list here
> for your reference:
>
> Merge Mode:
> In this mode, when the user logs on, the user's list of GPOs is typically
> gathered by using the GetGPOList function. The GetGPOList function is then
> called again by using the computer's location in Active Directory. The list
> of GPOs for the computer is then added to the end of the GPOs for the user.
> This causes the computer's GPOs to have higher precedence than the user's
> GPOs. In this example, the list of GPOs for the computer is added to the
> user's list.
>
>
> Replace Mode:
> In this mode, the user's list of GPOs is not gathered. Only the list of
> GPOs based on the computer object is used.
>
> I hope this helps. Have a good day!
>
> Thanks and regards,
>
> Morgan Che
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
 
RE: Loopback process doesn't work


Dear Customer,

Thanks for your feedback, and I am glad to hear this issue has been solved.

Hope you have a nice day!

Best wishes

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top