Terminal Services : Roaming Profiel Path in GPO

[Guest Emma]

Really odd situation we have

 

I haev created 2 pilot users and put the in there own OU with a new group.

 

I have created a new GPO and made changes to the CC and UC settings

 

CC : path to roaming profile share

UC : path to My Docs share

 

Now the UC GPO works and it will not read the CC GPO and redirect the

Roaming profile

 

I have followed the share permissions guide per

http://technet2.microsoft.com/windowsserver/en/library/20b15453-f7c9-4cf0-9131-78924af776551033.mspx?mfr=true

 

RSOP and it only sees it processing the my docs reditrection

 

I have made sure that Block Inher is at the OU above and ensured there arent

any GPO that are overiding things.

 

I have also made sure that ENFORCE is configured on the GPO

 

I have made sure the group us Rawed and Apply

 

Its W2K3 with SP2

 

Any ideas?

 

KP

[Guest Vera Noest [MVP]]

Re: Terminal Services : Roaming Profiel Path in GPO

 

If I understand you correctly, then you have created a single GPO

with both Computer and User Configuration settings, and linked that

GPO to an OU which contains the user account. Only the User

Configuration settings are applied when the user logs on.

 

This is by design.

When a user logs on to a machine (client or TS), then 2 GPOs (at

least) are applied:

1. the Computer Configuration part of the GPO linked to the OU

which contains the computer account

2. the User Configuration part of the GPO linked to the OU which

contains the user account.

 

The solution to this problem is to use "loopback processing" of the

GPO, which ensure that both Computer Configuration and User

Configuration settings are used from the GPO which is linked to the

OU which contains the *computer* account.

 

Assuming that this is about applying a GPO to users who logon to a

Terminal Server, this is how it is done:

 

1. place the Terminal Server (not the users!) in a separate OU

2. create a TS-specific GPO

3. configure the GPO to use "loopback processing" with the

"Replace" option (see KB 231287)

http://support.microsoft.com/?kbid=231287

4. link the GPO to the OU which contains the Terminal Server

machine account

5. modify the rights for Administrators on the GPO: select "Deny"

for the right to "Apply this policy" (see KB 816100)

http://support.microsoft.com/?kbid=816100

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05

nov 2007 in microsoft.public.windows.terminal_services:

> Really odd situation we have

>

> I haev created 2 pilot users and put the in there own OU with a

> new group.

>

> I have created a new GPO and made changes to the CC and UC

> settings

>

> CC : path to roaming profile share

> UC : path to My Docs share

>

> Now the UC GPO works and it will not read the CC GPO and

> redirect the Roaming profile

>

> I have followed the share permissions guide per

> http://technet2.microsoft.com/windowsserver/en/library/20b15453-f

> 7c9-4cf0-9131-78924af776551033.mspx?mfr=true

>

> RSOP and it only sees it processing the my docs reditrection

>

> I have made sure that Block Inher is at the OU above and ensured

> there arent any GPO that are overiding things.

>

> I have also made sure that ENFORCE is configured on the GPO

>

> I have made sure the group us Rawed and Apply

>

> Its W2K3 with SP2

>

> Any ideas?

>

> KP

[Guest Emma]

Re: Terminal Services : Roaming Profiel Path in GPO

 

Vera

 

Many thanks for the concise explanation!!

 

This is what I have done since the post

 

I have a OU which has my 2 Terminal Servers in there

 

I created a GPO1 which only had the Roaming Profile redirection and then

applied it to the OU which had my TS servers

 

I then created GPO2 and linked that to the User OU.

 

So basically, one OU has CC GPO and the other user OU has the User COnfig

settings. I think ensured there was Block Inheritance and they didnt work.

 

Am I correct in assuming, base don what you had said, that the GPO for the

TS OU needs the Roaming profile redirection as well as Loopback processing?

Is there anything else?

 

Em

 

"Vera Noest [MVP]" wrote:

> If I understand you correctly, then you have created a single GPO

> with both Computer and User Configuration settings, and linked that

> GPO to an OU which contains the user account. Only the User

> Configuration settings are applied when the user logs on.

>

> This is by design.

> When a user logs on to a machine (client or TS), then 2 GPOs (at

> least) are applied:

> 1. the Computer Configuration part of the GPO linked to the OU

> which contains the computer account

> 2. the User Configuration part of the GPO linked to the OU which

> contains the user account.

>

> The solution to this problem is to use "loopback processing" of the

> GPO, which ensure that both Computer Configuration and User

> Configuration settings are used from the GPO which is linked to the

> OU which contains the *computer* account.

>

> Assuming that this is about applying a GPO to users who logon to a

> Terminal Server, this is how it is done:

>

> 1. place the Terminal Server (not the users!) in a separate OU

> 2. create a TS-specific GPO

> 3. configure the GPO to use "loopback processing" with the

> "Replace" option (see KB 231287)

> http://support.microsoft.com/?kbid=231287

> 4. link the GPO to the OU which contains the Terminal Server

> machine account

> 5. modify the rights for Administrators on the GPO: select "Deny"

> for the right to "Apply this policy" (see KB 816100)

> http://support.microsoft.com/?kbid=816100

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05

> nov 2007 in microsoft.public.windows.terminal_services:

>

> > Really odd situation we have

> >

> > I haev created 2 pilot users and put the in there own OU with a

> > new group.

> >

> > I have created a new GPO and made changes to the CC and UC

> > settings

> >

> > CC : path to roaming profile share

> > UC : path to My Docs share

> >

> > Now the UC GPO works and it will not read the CC GPO and

> > redirect the Roaming profile

> >

> > I have followed the share permissions guide per

> > http://technet2.microsoft.com/windowsserver/en/library/20b15453-f

> > 7c9-4cf0-9131-78924af776551033.mspx?mfr=true

> >

> > RSOP and it only sees it processing the my docs reditrection

> >

> > I have made sure that Block Inher is at the OU above and ensured

> > there arent any GPO that are overiding things.

> >

> > I have also made sure that ENFORCE is configured on the GPO

> >

> > I have made sure the group us Rawed and Apply

> >

> > Its W2K3 with SP2

> >

> > Any ideas?

> >

> > KP

>

[Guest Vera Noest [MVP]]

Re: Terminal Services : Roaming Profiel Path in GPO

 

If you want the redirection of the My Documents folder (a User

Configuration setting) to apply to users, irrespective if they

logon to their workstation or the TS, then you can use a setup as

you have now and don't need loopback processing. In that case, you

ause the normal GPO application rules.

 

But in many cases, you want to lock down a user with user

Configuration settings) when they logon to a TS, but not when they

logon to their workstation. In such cases, you need to enable

loopback processing in the GPO which is lined to the TS OU and link

all lockdown GPOs to this TS OU as well.

 

If you don't see any effect of the recent changes you made to the

GPOs, run gpupdate on the TS to refresh the GPO.

I see no reason for Block Inheritance, unless you have a GPO higher

up in the hierarchy which you want to block.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05

nov 2007 in microsoft.public.windows.terminal_services:

> Vera

>

> Many thanks for the concise explanation!!

>

> This is what I have done since the post

>

> I have a OU which has my 2 Terminal Servers in there

>

> I created a GPO1 which only had the Roaming Profile redirection

> and then applied it to the OU which had my TS servers

>

> I then created GPO2 and linked that to the User OU.

>

> So basically, one OU has CC GPO and the other user OU has the

> User COnfig settings. I think ensured there was Block

> Inheritance and they didnt work.

>

> Am I correct in assuming, base don what you had said, that the

> GPO for the TS OU needs the Roaming profile redirection as well

> as Loopback processing? Is there anything else?

>

> Em

>

> "Vera Noest [MVP]" wrote:

>

>> If I understand you correctly, then you have created a single

>> GPO with both Computer and User Configuration settings, and

>> linked that GPO to an OU which contains the user account. Only

>> the User Configuration settings are applied when the user logs

>> on.

>>

>> This is by design.

>> When a user logs on to a machine (client or TS), then 2 GPOs

>> (at least) are applied:

>> 1. the Computer Configuration part of the GPO linked to the OU

>> which contains the computer account

>> 2. the User Configuration part of the GPO linked to the OU

>> which contains the user account.

>>

>> The solution to this problem is to use "loopback processing" of

>> the GPO, which ensure that both Computer Configuration and User

>> Configuration settings are used from the GPO which is linked to

>> the OU which contains the *computer* account.

>>

>> Assuming that this is about applying a GPO to users who logon

>> to a Terminal Server, this is how it is done:

>>

>> 1. place the Terminal Server (not the users!) in a separate OU

>> 2. create a TS-specific GPO

>> 3. configure the GPO to use "loopback processing" with the

>> "Replace" option (see KB 231287)

>> http://support.microsoft.com/?kbid=231287

>> 4. link the GPO to the OU which contains the Terminal Server

>> machine account

>> 5. modify the rights for Administrators on the GPO: select

>> "Deny" for the right to "Apply this policy" (see KB 816100)

>> http://support.microsoft.com/?kbid=816100

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on

>> 05 nov 2007 in microsoft.public.windows.terminal_services:

>>

>> > Really odd situation we have

>> >

>> > I haev created 2 pilot users and put the in there own OU with

>> > a new group.

>> >

>> > I have created a new GPO and made changes to the CC and UC

>> > settings

>> >

>> > CC : path to roaming profile share

>> > UC : path to My Docs share

>> >

>> > Now the UC GPO works and it will not read the CC GPO and

>> > redirect the Roaming profile

>> >

>> > I have followed the share permissions guide per

>> > http://technet2.microsoft.com/windowsserver/en/library/20b1545

>> > 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true

>> >

>> > RSOP and it only sees it processing the my docs reditrection

>> >

>> > I have made sure that Block Inher is at the OU above and

>> > ensured there arent any GPO that are overiding things.

>> >

>> > I have also made sure that ENFORCE is configured on the GPO

>> >

>> > I have made sure the group us Rawed and Apply

>> >

>> > Its W2K3 with SP2

>> >

>> > Any ideas?

>> >

>> > KP

[Guest Emma]

Re: Terminal Services : Roaming Profiel Path in GPO

 

Vera

 

This is what I did

 

On the OU which has my TS I created a new GPO and enabled Loopback and also

the TS Roaming Profile Path. I disabled the application of the User Config

and ensured the user group for the Users had READ and APPLY on that policy

 

Logged back in, but still no avail.....have I missed something?

 

s there a step where I put the TS Servers in another Group and need to ensre

its THAT group that has Read and Apply to the policy?

 

"Vera Noest [MVP]" wrote:

> If you want the redirection of the My Documents folder (a User

> Configuration setting) to apply to users, irrespective if they

> logon to their workstation or the TS, then you can use a setup as

> you have now and don't need loopback processing. In that case, you

> ause the normal GPO application rules.

>

> But in many cases, you want to lock down a user with user

> Configuration settings) when they logon to a TS, but not when they

> logon to their workstation. In such cases, you need to enable

> loopback processing in the GPO which is lined to the TS OU and link

> all lockdown GPOs to this TS OU as well.

>

> If you don't see any effect of the recent changes you made to the

> GPOs, run gpupdate on the TS to refresh the GPO.

> I see no reason for Block Inheritance, unless you have a GPO higher

> up in the hierarchy which you want to block.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 05

> nov 2007 in microsoft.public.windows.terminal_services:

>

> > Vera

> >

> > Many thanks for the concise explanation!!

> >

> > This is what I have done since the post

> >

> > I have a OU which has my 2 Terminal Servers in there

> >

> > I created a GPO1 which only had the Roaming Profile redirection

> > and then applied it to the OU which had my TS servers

> >

> > I then created GPO2 and linked that to the User OU.

> >

> > So basically, one OU has CC GPO and the other user OU has the

> > User COnfig settings. I think ensured there was Block

> > Inheritance and they didnt work.

> >

> > Am I correct in assuming, base don what you had said, that the

> > GPO for the TS OU needs the Roaming profile redirection as well

> > as Loopback processing? Is there anything else?

> >

> > Em

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> If I understand you correctly, then you have created a single

> >> GPO with both Computer and User Configuration settings, and

> >> linked that GPO to an OU which contains the user account. Only

> >> the User Configuration settings are applied when the user logs

> >> on.

> >>

> >> This is by design.

> >> When a user logs on to a machine (client or TS), then 2 GPOs

> >> (at least) are applied:

> >> 1. the Computer Configuration part of the GPO linked to the OU

> >> which contains the computer account

> >> 2. the User Configuration part of the GPO linked to the OU

> >> which contains the user account.

> >>

> >> The solution to this problem is to use "loopback processing" of

> >> the GPO, which ensure that both Computer Configuration and User

> >> Configuration settings are used from the GPO which is linked to

> >> the OU which contains the *computer* account.

> >>

> >> Assuming that this is about applying a GPO to users who logon

> >> to a Terminal Server, this is how it is done:

> >>

> >> 1. place the Terminal Server (not the users!) in a separate OU

> >> 2. create a TS-specific GPO

> >> 3. configure the GPO to use "loopback processing" with the

> >> "Replace" option (see KB 231287)

> >> http://support.microsoft.com/?kbid=231287

> >> 4. link the GPO to the OU which contains the Terminal Server

> >> machine account

> >> 5. modify the rights for Administrators on the GPO: select

> >> "Deny" for the right to "Apply this policy" (see KB 816100)

> >> http://support.microsoft.com/?kbid=816100

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on

> >> 05 nov 2007 in microsoft.public.windows.terminal_services:

> >>

> >> > Really odd situation we have

> >> >

> >> > I haev created 2 pilot users and put the in there own OU with

> >> > a new group.

> >> >

> >> > I have created a new GPO and made changes to the CC and UC

> >> > settings

> >> >

> >> > CC : path to roaming profile share

> >> > UC : path to My Docs share

> >> >

> >> > Now the UC GPO works and it will not read the CC GPO and

> >> > redirect the Roaming profile

> >> >

> >> > I have followed the share permissions guide per

> >> > http://technet2.microsoft.com/windowsserver/en/library/20b1545

> >> > 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true

> >> >

> >> > RSOP and it only sees it processing the my docs reditrection

> >> >

> >> > I have made sure that Block Inher is at the OU above and

> >> > ensured there arent any GPO that are overiding things.

> >> >

> >> > I have also made sure that ENFORCE is configured on the GPO

> >> >

> >> > I have made sure the group us Rawed and Apply

> >> >

> >> > Its W2K3 with SP2

> >> >

> >> > Any ideas?

> >> >

> >> > KP

>

[Guest Vera Noest [MVP]]

Re: Terminal Services : Roaming Profiel Path in GPO

 

Did you remove the "Authenticated Users" group from the security

filtering of the GPO? If so, you have to add the Terminal Server

machine account to the security filtering, also with read and

execute rights.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on 06

nov 2007 in microsoft.public.windows.terminal_services:

> Vera

>

> This is what I did

>

> On the OU which has my TS I created a new GPO and enabled

> Loopback and also the TS Roaming Profile Path. I disabled the

> application of the User Config and ensured the user group for

> the Users had READ and APPLY on that policy

>

> Logged back in, but still no avail.....have I missed something?

>

> s there a step where I put the TS Servers in another Group and

> need to ensre its THAT group that has Read and Apply to the

> policy?

>

> "Vera Noest [MVP]" wrote:

>

>> If you want the redirection of the My Documents folder (a User

>> Configuration setting) to apply to users, irrespective if they

>> logon to their workstation or the TS, then you can use a setup

>> as you have now and don't need loopback processing. In that

>> case, you ause the normal GPO application rules.

>>

>> But in many cases, you want to lock down a user with user

>> Configuration settings) when they logon to a TS, but not when

>> they logon to their workstation. In such cases, you need to

>> enable loopback processing in the GPO which is lined to the TS

>> OU and link all lockdown GPOs to this TS OU as well.

>>

>> If you don't see any effect of the recent changes you made to

>> the GPOs, run gpupdate on the TS to refresh the GPO.

>> I see no reason for Block Inheritance, unless you have a GPO

>> higher up in the hierarchy which you want to block.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote on

>> 05 nov 2007 in microsoft.public.windows.terminal_services:

>>

>> > Vera

>> >

>> > Many thanks for the concise explanation!!

>> >

>> > This is what I have done since the post

>> >

>> > I have a OU which has my 2 Terminal Servers in there

>> >

>> > I created a GPO1 which only had the Roaming Profile

>> > redirection and then applied it to the OU which had my TS

>> > servers

>> >

>> > I then created GPO2 and linked that to the User OU.

>> >

>> > So basically, one OU has CC GPO and the other user OU has the

>> > User COnfig settings. I think ensured there was Block

>> > Inheritance and they didnt work.

>> >

>> > Am I correct in assuming, base don what you had said, that

>> > the GPO for the TS OU needs the Roaming profile redirection

>> > as well as Loopback processing? Is there anything else?

>> >

>> > Em

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> If I understand you correctly, then you have created a

>> >> single GPO with both Computer and User Configuration

>> >> settings, and linked that GPO to an OU which contains the

>> >> user account. Only the User Configuration settings are

>> >> applied when the user logs on.

>> >>

>> >> This is by design.

>> >> When a user logs on to a machine (client or TS), then 2 GPOs

>> >> (at least) are applied:

>> >> 1. the Computer Configuration part of the GPO linked to the

>> >> OU which contains the computer account

>> >> 2. the User Configuration part of the GPO linked to the OU

>> >> which contains the user account.

>> >>

>> >> The solution to this problem is to use "loopback processing"

>> >> of the GPO, which ensure that both Computer Configuration

>> >> and User Configuration settings are used from the GPO which

>> >> is linked to the OU which contains the *computer* account.

>> >>

>> >> Assuming that this is about applying a GPO to users who

>> >> logon to a Terminal Server, this is how it is done:

>> >>

>> >> 1. place the Terminal Server (not the users!) in a separate

>> >> OU 2. create a TS-specific GPO

>> >> 3. configure the GPO to use "loopback processing" with the

>> >> "Replace" option (see KB 231287)

>> >> http://support.microsoft.com/?kbid=231287

>> >> 4. link the GPO to the OU which contains the Terminal Server

>> >> machine account

>> >> 5. modify the rights for Administrators on the GPO: select

>> >> "Deny" for the right to "Apply this policy" (see KB 816100)

>> >> http://support.microsoft.com/?kbid=816100

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?RW1tYQ==?= <Emma@discussions.microsoft.com> wrote

>> >> on 05 nov 2007 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > Really odd situation we have

>> >> >

>> >> > I haev created 2 pilot users and put the in there own OU

>> >> > with a new group.

>> >> >

>> >> > I have created a new GPO and made changes to the CC and UC

>> >> > settings

>> >> >

>> >> > CC : path to roaming profile share

>> >> > UC : path to My Docs share

>> >> >

>> >> > Now the UC GPO works and it will not read the CC GPO and

>> >> > redirect the Roaming profile

>> >> >

>> >> > I have followed the share permissions guide per

>> >> > http://technet2.microsoft.com/windowsserver/en/library/20b1

>> >> > 545 3-f 7c9-4cf0-9131-78924af776551033.mspx?mfr=true

>> >> >

>> >> > RSOP and it only sees it processing the my docs

>> >> > reditrection

>> >> >

>> >> > I have made sure that Block Inher is at the OU above and

>> >> > ensured there arent any GPO that are overiding things.

>> >> >

>> >> > I have also made sure that ENFORCE is configured on the

>> >> > GPO

>> >> >

>> >> > I have made sure the group us Rawed and Apply

>> >> >

>> >> > Its W2K3 with SP2

>> >> >

>> >> > Any ideas?

>> >> >

>> >> > KP