Applying Group Policy to domain user on Terminal Server

  • Thread starter Thread starter Luke Chalmers
  • Start date Start date
L

Luke Chalmers

Guest
Hello,

I am fairly new to setting up terminal services so I will try and explain
the problem as best I can.

I have setup a Windows 2003 Terminal Server and have built a group policy
for when users logon. The domain controller is on a Windows 2000 server. I am
not sure if this is the best way to do this but in Active Directory I have a
subfolder called 'Domain Controllers' and this contains the Windows 2000
server. When I right click on the 'domain controllers' and go to
properties>group policy I see 'default domain controllers policy'. This this
the group policy that is applied to domain users on the network.

Another organisational unit subfolder is called 'My Business' and then
subfolder in that called '[company name]. In the [company name] folder this
contains all the users in the company which log onto the domain.

Under 'my business' is another folder which I created called 'Terminal
Services'. If right click on that and go to properties and go to Group
policy, you find my group policy that I have configured for the Terminal
Server. In this folder you find the Terminal Server computer object and a
test user.

When the test user logs into the Terminal server the group policy is then
applied and they experience restrictive access.


How can I get a domain user in the from the 'company name' organisational
unit to log onto the TS with the group policy applied. In order to get this
to work I have to move them to the Terminal Services container and I don't
want to do that. I have created a group and added the group but when users of
that group log in the group policy does not apply.

I have granted the terminal services group permission to the group policy
just like my test user but only my test user works. I am not sure how to get
this working. How do other people set this up?

Sorry if this sounds waffly!

Cheers

Luke
 
Re: Applying Group Policy to domain user on Terminal Server

The solution to this problem is to use "loopback processing" of the
TS GPO:

1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server
machine account
5. add the Terminal Server machine account to the security
list of the GPO
6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select
"Deny" for the right to "Apply this policy" (see KB 816100)

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?THVrZSBDaGFsbWVycw==?=
<LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008 in
microsoft.public.windows.terminal_services:

> Hello,
>
> I am fairly new to setting up terminal services so I will try
> and explain the problem as best I can.
>
> I have setup a Windows 2003 Terminal Server and have built a
> group policy for when users logon. The domain controller is on a
> Windows 2000 server. I am not sure if this is the best way to do
> this but in Active Directory I have a subfolder called 'Domain
> Controllers' and this contains the Windows 2000 server. When I
> right click on the 'domain controllers' and go to
> properties>group policy I see 'default domain controllers
> policy'. This this the group policy that is applied to domain
> users on the network.
>
> Another organisational unit subfolder is called 'My Business'
> and then subfolder in that called '[company name]. In the
> [company name] folder this contains all the users in the company
> which log onto the domain.
>
> Under 'my business' is another folder which I created called
> 'Terminal Services'. If right click on that and go to properties
> and go to Group policy, you find my group policy that I have
> configured for the Terminal Server. In this folder you find the
> Terminal Server computer object and a test user.
>
> When the test user logs into the Terminal server the group
> policy is then applied and they experience restrictive access.
>
>
> How can I get a domain user in the from the 'company name'
> organisational unit to log onto the TS with the group policy
> applied. In order to get this to work I have to move them to the
> Terminal Services container and I don't want to do that. I have
> created a group and added the group but when users of that group
> log in the group policy does not apply.
>
> I have granted the terminal services group permission to the
> group policy just like my test user but only my test user works.
> I am not sure how to get this working. How do other people set
> this up?
>
> Sorry if this sounds waffly!
>
> Cheers
>
> Luke
 
Re: Applying Group Policy to domain user on Terminal Server

Vera,

Thanks for your help on this. I am still a little stuck however as the GPO
is still not applying properly. I am glad you understood what I meant as I
was concerned that you may find my problem difficult to follow.

I just want to check the instructions that you sent.

1. place the Terminal Server (not the users!) in a separate OU

DONE! This OU is called Terminal Services

2. create a TS-specific GPO

DONE! This is called TS-GPO

3. configure the GPO to use "loopback processing" with the
"Replace" option (see KB 231287)

DONE! Read this with interest and I guess this needs to be applied to the
TS-GPO and not the local GPO on the Terminal Server

4. link the GPO to the OU which contains the Terminal Server
machine account

DONE! What do you mean exactly by Terminal Server machine 'account'? If I
right click on the Terminal Services OU and go to properties the group policy
is in there under the group policy tab.

5. add the Terminal Server machine account to the security
list of the GPO

If I right click on the Terminal Services OU>properties>group policy>select
the group policy and then click properties. Then select the security tab. The
Terminal Server computer is in this list along with my test users and
Terminal Server User group. What permissions should the machine have exactly?
I also have the domain admin group with deny rights in here. This relates to
point 7.

6. add a User group to the security list of the GPO (or keep
the default entry for "Authenticated Users" if you want the
settings in the GPO to apply to all users)

DONE! as above the Terminal Server user group is in the security list with
read, write, create, delete and apply rights enabled. Same as my test user
which works

When I log in with a user who is a member of the Terminal Server Users group
the GPO does not apply itself.

In active directory under the Terminal Server OU I have the computer of the
TS and the test user. Should my Terminal Server user group be in there as
well because it is at present!

Many thanks for your help on this Vera!

Luke


"Vera Noest [MVP]" wrote:

> The solution to this problem is to use "loopback processing" of the
> TS GPO:
>
> 1. place the Terminal Server (not the users!) in a separate OU
> 2. create a TS-specific GPO
> 3. configure the GPO to use "loopback processing" with the
> "Replace" option (see KB 231287)
> 4. link the GPO to the OU which contains the Terminal Server
> machine account
> 5. add the Terminal Server machine account to the security
> list of the GPO
> 6. add a User group to the security list of the GPO (or keep
> the default entry for "Authenticated Users" if you want the
> settings in the GPO to apply to all users)
> 7. modify the rights for Administrators on the GPO: select
> "Deny" for the right to "Apply this policy" (see KB 816100)
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=
> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008 in
> microsoft.public.windows.terminal_services:
>
> > Hello,
> >
> > I am fairly new to setting up terminal services so I will try
> > and explain the problem as best I can.
> >
> > I have setup a Windows 2003 Terminal Server and have built a
> > group policy for when users logon. The domain controller is on a
> > Windows 2000 server. I am not sure if this is the best way to do
> > this but in Active Directory I have a subfolder called 'Domain
> > Controllers' and this contains the Windows 2000 server. When I
> > right click on the 'domain controllers' and go to
> > properties>group policy I see 'default domain controllers
> > policy'. This this the group policy that is applied to domain
> > users on the network.
> >
> > Another organisational unit subfolder is called 'My Business'
> > and then subfolder in that called '[company name]. In the
> > [company name] folder this contains all the users in the company
> > which log onto the domain.
> >
> > Under 'my business' is another folder which I created called
> > 'Terminal Services'. If right click on that and go to properties
> > and go to Group policy, you find my group policy that I have
> > configured for the Terminal Server. In this folder you find the
> > Terminal Server computer object and a test user.
> >
> > When the test user logs into the Terminal server the group
> > policy is then applied and they experience restrictive access.
> >
> >
> > How can I get a domain user in the from the 'company name'
> > organisational unit to log onto the TS with the group policy
> > applied. In order to get this to work I have to move them to the
> > Terminal Services container and I don't want to do that. I have
> > created a group and added the group but when users of that group
> > log in the group policy does not apply.
> >
> > I have granted the terminal services group permission to the
> > group policy just like my test user but only my test user works.
> > I am not sure how to get this working. How do other people set
> > this up?
> >
> > Sorry if this sounds waffly!
> >
> > Cheers
> >
> > Luke
>
 
Re: Applying Group Policy to domain user on Terminal Server

comments inline
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?THVrZSBDaGFsbWVycw==?=
<LukeChalmers@discussions.microsoft.com> wrote on 19 jun 2008 in
microsoft.public.windows.terminal_services:

> Vera,
>
> Thanks for your help on this. I am still a little stuck however
> as the GPO is still not applying properly. I am glad you
> understood what I meant as I was concerned that you may find my
> problem difficult to follow.
>
> I just want to check the instructions that you sent.
>
> 1. place the Terminal Server (not the users!) in a separate OU
> DONE! This OU is called Terminal Services
>
> 2. create a TS-specific GPO
> DONE! This is called TS-GPO
>
> 3. configure the GPO to use "loopback processing" with the
> "Replace" option (see KB 231287)
> DONE! Read this with interest and I guess this needs to be
> applied to the TS-GPO and not the local GPO on the Terminal
> Server

Correct

> 4. link the GPO to the OU which contains the Terminal Server
> machine account
>
> DONE! What do you mean exactly by Terminal Server machine
> 'account'? If I right click on the Terminal Services OU and go
> to properties the group policy is in there under the group
> policy tab.

The Terminal Server machine account is what you call the Terminal
Server computer, i.e. the object that you see in the Terminal
Services OU.

> 5. add the Terminal Server machine account to the security
> list of the GPO
>
> If I right click on the Terminal Services OU>properties>group
> policy>select the group policy and then click properties. Then
> select the security tab. The Terminal Server computer is in this
> list along with my test users and Terminal Server User group.
> What permissions should the machine have exactly? I also have
> the domain admin group with deny rights in here. This relates to
> point 7.

The default permissions (minimally read, write, apply)

> 6. add a User group to the security list of the GPO (or keep
> the default entry for "Authenticated Users" if you want the
> settings in the GPO to apply to all users)
> DONE! as above the Terminal Server user group is in the security
> list with read, write, create, delete and apply rights enabled.
> Same as my test user which works
>
> When I log in with a user who is a member of the Terminal Server
> Users group the GPO does not apply itself.

Strange, because it should. Did you run the command "gpupdate" on
the Terminal Server after adding the loopback setting?
If that doesn't help, run RSoP (Resultant Set of Policies) with the
TS as the computer and a normal user account, to see a list of the
policies which are applied.

One comment on your first post. You wrote:
> .. in Active Directory I have a subfolder
> called 'Domain Controllers' and this contains the Windows
> 2000 server. When I right click on the 'domain controllers'
> and go to properties>group policy I see 'default domain
> controllers policy'. This this the group policy that is
> applied to domain users on the network.
That's not completely true. The Default Domain Controller GPO is
applied to the DC.
You should have another GPO, linked to the domain, which is called
the Default Domain Policy. This GPO is applied to the whole domain,
and thus to all users.

> In active directory under the Terminal Server OU I have the
> computer of the TS and the test user. Should my Terminal Server
> user group be in there as well because it is at present!

Policies are applied to computers and/or users, not to security
groups. So putting the Terminal Server Users secuirty group in the
TS OU has no effect, and I wouldn't do it.

> Many thanks for your help on this Vera!
>
> Luke
>
>
> "Vera Noest [MVP]" wrote:
>
>> The solution to this problem is to use "loopback processing" of
>> the TS GPO:
>>
>> 1. place the Terminal Server (not the users!) in a separate OU
>> 2. create a TS-specific GPO
>> 3. configure the GPO to use "loopback processing" with the
>> "Replace" option (see KB 231287)
>> 4. link the GPO to the OU which contains the Terminal Server
>> machine account
>> 5. add the Terminal Server machine account to the security
>> list of the GPO
>> 6. add a User group to the security list of the GPO (or keep
>> the default entry for "Authenticated Users" if you want the
>> settings in the GPO to apply to all users)
>> 7. modify the rights for Administrators on the GPO: select
>> "Deny" for the right to "Apply this policy" (see KB 816100)
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=
>> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008
>> in microsoft.public.windows.terminal_services:
>>
>> > Hello,
>> >
>> > I am fairly new to setting up terminal services so I will try
>> > and explain the problem as best I can.
>> >
>> > I have setup a Windows 2003 Terminal Server and have built a
>> > group policy for when users logon. The domain controller is
>> > on a Windows 2000 server. I am not sure if this is the best
>> > way to do this but in Active Directory I have a subfolder
>> > called 'Domain Controllers' and this contains the Windows
>> > 2000 server. When I right click on the 'domain controllers'
>> > and go to properties>group policy I see 'default domain
>> > controllers policy'. This this the group policy that is
>> > applied to domain users on the network.
>> >
>> > Another organisational unit subfolder is called 'My Business'
>> > and then subfolder in that called '[company name]. In the
>> > [company name] folder this contains all the users in the
>> > company which log onto the domain.
>> >
>> > Under 'my business' is another folder which I created called
>> > 'Terminal Services'. If right click on that and go to
>> > properties and go to Group policy, you find my group policy
>> > that I have configured for the Terminal Server. In this
>> > folder you find the Terminal Server computer object and a
>> > test user.
>> >
>> > When the test user logs into the Terminal server the group
>> > policy is then applied and they experience restrictive
>> > access.
>> >
>> >
>> > How can I get a domain user in the from the 'company name'
>> > organisational unit to log onto the TS with the group policy
>> > applied. In order to get this to work I have to move them to
>> > the Terminal Services container and I don't want to do that.
>> > I have created a group and added the group but when users of
>> > that group log in the group policy does not apply.
>> >
>> > I have granted the terminal services group permission to the
>> > group policy just like my test user but only my test user
>> > works. I am not sure how to get this working. How do other
>> > people set this up?
>> >
>> > Sorry if this sounds waffly!
>> >
>> > Cheers
>> >
>> > Luke
 
Re: Applying Group Policy to domain user on Terminal Server

I went through in the instructions again and had a little tinker and all is
well. I can't be certain what exactly was wrong but it is now working.

I think I was practically there but thanks for getting me to the end!

Last question, is there a straight forward way of publishing the Terminal
Server on the web.

I have read online about MSFT ISA server. Is this necessary or recommended?

Is there a guide online to configure IIS to get it online?

Many thanks,

Luke

"Vera Noest [MVP]" wrote:

> comments inline
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=
> <LukeChalmers@discussions.microsoft.com> wrote on 19 jun 2008 in
> microsoft.public.windows.terminal_services:
>
> > Vera,
> >
> > Thanks for your help on this. I am still a little stuck however
> > as the GPO is still not applying properly. I am glad you
> > understood what I meant as I was concerned that you may find my
> > problem difficult to follow.
> >
> > I just want to check the instructions that you sent.
> >
> > 1. place the Terminal Server (not the users!) in a separate OU
> > DONE! This OU is called Terminal Services
> >
> > 2. create a TS-specific GPO
> > DONE! This is called TS-GPO
> >
> > 3. configure the GPO to use "loopback processing" with the
> > "Replace" option (see KB 231287)
> > DONE! Read this with interest and I guess this needs to be
> > applied to the TS-GPO and not the local GPO on the Terminal
> > Server
>
> Correct
>
> > 4. link the GPO to the OU which contains the Terminal Server
> > machine account
> >
> > DONE! What do you mean exactly by Terminal Server machine
> > 'account'? If I right click on the Terminal Services OU and go
> > to properties the group policy is in there under the group
> > policy tab.
>
> The Terminal Server machine account is what you call the Terminal
> Server computer, i.e. the object that you see in the Terminal
> Services OU.
>
> > 5. add the Terminal Server machine account to the security
> > list of the GPO
> >
> > If I right click on the Terminal Services OU>properties>group
> > policy>select the group policy and then click properties. Then
> > select the security tab. The Terminal Server computer is in this
> > list along with my test users and Terminal Server User group.
> > What permissions should the machine have exactly? I also have
> > the domain admin group with deny rights in here. This relates to
> > point 7.
>
> The default permissions (minimally read, write, apply)
>
> > 6. add a User group to the security list of the GPO (or keep
> > the default entry for "Authenticated Users" if you want the
> > settings in the GPO to apply to all users)
> > DONE! as above the Terminal Server user group is in the security
> > list with read, write, create, delete and apply rights enabled.
> > Same as my test user which works
> >
> > When I log in with a user who is a member of the Terminal Server
> > Users group the GPO does not apply itself.
>
> Strange, because it should. Did you run the command "gpupdate" on
> the Terminal Server after adding the loopback setting?
> If that doesn't help, run RSoP (Resultant Set of Policies) with the
> TS as the computer and a normal user account, to see a list of the
> policies which are applied.
>
> One comment on your first post. You wrote:
> > .. in Active Directory I have a subfolder
> > called 'Domain Controllers' and this contains the Windows
> > 2000 server. When I right click on the 'domain controllers'
> > and go to properties>group policy I see 'default domain
> > controllers policy'. This this the group policy that is
> > applied to domain users on the network.
> That's not completely true. The Default Domain Controller GPO is
> applied to the DC.
> You should have another GPO, linked to the domain, which is called
> the Default Domain Policy. This GPO is applied to the whole domain,
> and thus to all users.
>
> > In active directory under the Terminal Server OU I have the
> > computer of the TS and the test user. Should my Terminal Server
> > user group be in there as well because it is at present!
>
> Policies are applied to computers and/or users, not to security
> groups. So putting the Terminal Server Users secuirty group in the
> TS OU has no effect, and I wouldn't do it.
>
> > Many thanks for your help on this Vera!
> >
> > Luke
> >
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> The solution to this problem is to use "loopback processing" of
> >> the TS GPO:
> >>
> >> 1. place the Terminal Server (not the users!) in a separate OU
> >> 2. create a TS-specific GPO
> >> 3. configure the GPO to use "loopback processing" with the
> >> "Replace" option (see KB 231287)
> >> 4. link the GPO to the OU which contains the Terminal Server
> >> machine account
> >> 5. add the Terminal Server machine account to the security
> >> list of the GPO
> >> 6. add a User group to the security list of the GPO (or keep
> >> the default entry for "Authenticated Users" if you want the
> >> settings in the GPO to apply to all users)
> >> 7. modify the rights for Administrators on the GPO: select
> >> "Deny" for the right to "Apply this policy" (see KB 816100)
> >>
> >> 231287 - Loopback Processing of Group Policy
> >> http://support.microsoft.com/?kbid=231287
> >>
> >> 816100 - How To Prevent Domain Group Policies from Applying to
> >> Administrator Accounts and Selected Users in Windows Server
> >> 2003 http://support.microsoft.com/?kbid=816100
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=
> >> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008
> >> in microsoft.public.windows.terminal_services:
> >>
> >> > Hello,
> >> >
> >> > I am fairly new to setting up terminal services so I will try
> >> > and explain the problem as best I can.
> >> >
> >> > I have setup a Windows 2003 Terminal Server and have built a
> >> > group policy for when users logon. The domain controller is
> >> > on a Windows 2000 server. I am not sure if this is the best
> >> > way to do this but in Active Directory I have a subfolder
> >> > called 'Domain Controllers' and this contains the Windows
> >> > 2000 server. When I right click on the 'domain controllers'
> >> > and go to properties>group policy I see 'default domain
> >> > controllers policy'. This this the group policy that is
> >> > applied to domain users on the network.
> >> >
> >> > Another organisational unit subfolder is called 'My Business'
> >> > and then subfolder in that called '[company name]. In the
> >> > [company name] folder this contains all the users in the
> >> > company which log onto the domain.
> >> >
> >> > Under 'my business' is another folder which I created called
> >> > 'Terminal Services'. If right click on that and go to
> >> > properties and go to Group policy, you find my group policy
> >> > that I have configured for the Terminal Server. In this
> >> > folder you find the Terminal Server computer object and a
> >> > test user.
> >> >
> >> > When the test user logs into the Terminal server the group
> >> > policy is then applied and they experience restrictive
> >> > access.
> >> >
> >> >
> >> > How can I get a domain user in the from the 'company name'
> >> > organisational unit to log onto the TS with the group policy
> >> > applied. In order to get this to work I have to move them to
> >> > the Terminal Services container and I don't want to do that.
> >> > I have created a group and added the group but when users of
> >> > that group log in the group policy does not apply.
> >> >
> >> > I have granted the terminal services group permission to the
> >> > group policy just like my test user but only my test user
> >> > works. I am not sure how to get this working. How do other
> >> > people set this up?
> >> >
> >> > Sorry if this sounds waffly!
> >> >
> >> > Cheers
> >> >
> >> > Luke
>
 
Back
Top