Jump to content

Loopback process doesn't work

Guest nicolas29

By Guest nicolas29
in Windows NT Server

 Share

Recommended Posts

Guest nicolas29

Guest nicolas29

Posted
Posted

hey

 

i have a TSE 2000

i create a ou name TSE, i put my SERVER in this OU

 

i make a gpo on this OU with loopback process, and on user configuration for

logon script i make a special script

 

but i does'nt work

 

when a user connect to the GPO apply to tho OU TSE

 

i don't understand, because i make the same on a other company (but with

TSE2003) and it work very well

 

I make this tests :

- delete the OU and recreate

- delete the GPO and recreate

 

.....snif help

nt

  • Replies 11
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Bart Van Vugt

Guest Bart Van Vugt

Posted
Posted

RE: Loopback process doesn't work

 

Did you check with RSOP if the policy is applied?

 

"nicolas29" wrote:

> hey

>

> i have a TSE 2000

> i create a ou name TSE, i put my SERVER in this OU

>

> i make a gpo on this OU with loopback process, and on user configuration for

> logon script i make a special script

>

> but i does'nt work

>

> when a user connect to the GPO apply to tho OU TSE

>

> i don't understand, because i make the same on a other company (but with

> TSE2003) and it work very well

>

> I make this tests :

> - delete the OU and recreate

> - delete the GPO and recreate

>

> ....snif help

> nt

Guest Patrick Rouse

Guest Patrick Rouse

Posted
Posted

RE: Loopback process doesn't work

 

Best Practice for applying Settings to Users only when they log on to

Terminal Servers would be to:

 

1. Create an OU to contain a set of Terminal Servers

 

2. Block Policy Inheritance on the OU (Properties -> Group Policy). This

prevents settings from higher-up in AD from affecting your Terminal Servers.

 

3. Move the Terminal Server Computer Objects into the OU. Do NOT place User

Accounts in this OU.

 

4. Create an Active Directory Security Group called “Terminal Servers” (or

something similar that you’ll recognize) and add the Terminal Servers from

this OU to this group.

 

5. Create a GPO called “TS Machine Policy” linked to the OU

 

6. Check “Disable User Configuration settings” on the GPO

 

7. Enable Loopback Policy Processing in the GPO

 

8. Edit the Security of the Policy so Apply Policy is set for “Authenticated

Users” and the Security Group containing the Terminal Servers

 

9. Create additional GPOs linked to this OU for each user population, i.e.

“TS Users”, “TS Administrators”.

 

10. Check “Disable Computer Configuration settings” on these GPO

 

11. Edit the Security on these User Configuration GPOs so Apply Policy is

enabled for the target user population, and Deny Apply Policy is enabled for

user to which the policy should not apply.

 

With GPOs configured this way the Machine Policy applies to everyone that

logs on to the Terminal Server (only the Computer Configuration Settings of

the Machine Policy are processed) in addition to the appropriate User

Configuration GPO (only the User Configuration portion of the GPO is

processed) for the target user population.

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

Provision Networks VIP

Citrix Technology Professional

President - Session Computing Solutions, LLC

http://www.sessioncomputing.com

 

 

 

"Bart Van Vugt" wrote:

> Did you check with RSOP if the policy is applied?

>

> "nicolas29" wrote:

>

> > hey

> >

> > i have a TSE 2000

> > i create a ou name TSE, i put my SERVER in this OU

> >

> > i make a gpo on this OU with loopback process, and on user configuration for

> > logon script i make a special script

> >

> > but i does'nt work

> >

> > when a user connect to the GPO apply to tho OU TSE

> >

> > i don't understand, because i make the same on a other company (but with

> > TSE2003) and it work very well

> >

> > I make this tests :

> > - delete the OU and recreate

> > - delete the GPO and recreate

> >

> > ....snif help

> > nt

Guest nicolas29

Guest nicolas29

Posted
Posted

RE: Loopback process doesn't work

 

hello

bart if i don't make a mistake i cannot make RSOP on a tse 2000 only for

2003 or xp ?

 

patrick, thanks for the details but after 3 hours it doesn't work

 

here that i do with my informations

 

1. Create an OU to contain a set of Terminal Servers

nt :ok

 

2. Block Policy Inheritance on the OU (Properties -> Group Policy). This

nt: ok

3. Move the Terminal Server Computer Objects into the OU. Do NOT place User

Accounts in this OU.

nt: ok

 

4. Create an Active Directory Security Group called “Terminal Servers” (or

something similar that you’ll recognize) and add the Terminal Servers from

this OU to this group.

nt: i make a gloal security group name GG TSE and add into the tse

 

5. Create a GPO called “TS Machine Policy” linked to the OU

nt: ok

6. Check “Disable User Configuration settings” on the GPO

nt: ok

7. Enable Loopback Policy Processing in the GPO

nt: ok

8. Edit the Security of the Policy so Apply Policy is set for “Authenticated

> Users” and the Security Group containing the Terminal Servers

nt: ok

 

9. Create additional GPOs linked to this OU for each user population, i.e.

> “TS Users”, “TS Administrators”.

nt : ok i make a 2nd gpo name script tse

> 10. Check “Disable Computer Configuration settings” on these GPO

nt: ok

> 11. Edit the Security on these User Configuration GPOs so Apply Policy is

> enabled for the target user population, and Deny Apply Policy is enabled for

> user to which the policy should not apply.

 

nt: as i want that user on tse have a logon script, i put a logon script on

the user configuration of the script tse gpo, is it the good place

 

my script don't apply (it is just a map, if i test it in the user session by

double clik it works, but not by gpo)

 

thanks can you explain where i make a mistake if i want that a specific

script apply when user connect on tse

 

good days nicolas

Guest Morgan che

Guest Morgan che

Posted
Posted

RE: Loopback process doesn't work

 

Dear Customer,

 

Thanks for your posting here and Patrick Rouse and Bart Van's for your

kind response.

 

Please check the following:

 

1) Please check whether the Loopback setting and the logon script setting

have been applied. You can run RSOP.MSC on the Terminal session to verify

it.

 

Note: RSOP is not availble on Windows 2000 computer. You can run the

following command:

 

GPRESULT /V >C:\gpresult.txt

 

Please let me know the result.

 

2) As a test, please create a user account and put it in the same OU where

the Terminal server locates. Please log on the Terminal server with this

new the user to see if the script applies.

 

3) Please help collect a debugging mode of Userenv log.

 

For detailed steps, please refer to:

 

221833 How to enable user environment debug logging in retail builds of

Windows

http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

 

You can send the files to me at v-morche@microsoft.com (please include

"41115895-Loopback process doesn't work" in the subject line).

 

I am looking forward to your feedback. If anything is unclear, please be

free to post back and I am happy to be of further assistance.

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest Patrick Rouse

Guest Patrick Rouse

Posted
Posted

RE: Loopback process doesn't work

 

Assuming your policy has replicated, the user GPO settings should apply at

the next logon, and computer GPO settings should apply after the next reboot,

as the computer settings apply when the Server's AD Account logs onto AD,

before the GINA is accessible.

 

I have successfully used the steps I listed in every implementation I've

done for several years, so they are battle tested on dozens of clients.

 

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

Provision Networks VIP

Citrix Technology Professional

President - Session Computing Solutions, LLC

http://www.sessioncomputing.com

 

 

 

"nicolas29" wrote:

> hello

> bart if i don't make a mistake i cannot make RSOP on a tse 2000 only for

> 2003 or xp ?

>

> patrick, thanks for the details but after 3 hours it doesn't work

>

> here that i do with my informations

>

> 1. Create an OU to contain a set of Terminal Servers

> nt :ok

>

> 2. Block Policy Inheritance on the OU (Properties -> Group Policy). This

> nt: ok

> 3. Move the Terminal Server Computer Objects into the OU. Do NOT place User

> Accounts in this OU.

> nt: ok

>

> 4. Create an Active Directory Security Group called “Terminal Servers” (or

> something similar that you’ll recognize) and add the Terminal Servers from

> this OU to this group.

> nt: i make a gloal security group name GG TSE and add into the tse

>

> 5. Create a GPO called “TS Machine Policy” linked to the OU

> nt: ok

> 6. Check “Disable User Configuration settings” on the GPO

> nt: ok

> 7. Enable Loopback Policy Processing in the GPO

> nt: ok

> 8. Edit the Security of the Policy so Apply Policy is set for “Authenticated

> > Users” and the Security Group containing the Terminal Servers

> nt: ok

>

> 9. Create additional GPOs linked to this OU for each user population, i.e.

> > “TS Users”, “TS Administrators”.

> nt : ok i make a 2nd gpo name script tse

> > 10. Check “Disable Computer Configuration settings” on these GPO

> nt: ok

> > 11. Edit the Security on these User Configuration GPOs so Apply Policy is

> > enabled for the target user population, and Deny Apply Policy is enabled for

> > user to which the policy should not apply.

>

> nt: as i want that user on tse have a logon script, i put a logon script on

> the user configuration of the script tse gpo, is it the good place

>

> my script don't apply (it is just a map, if i test it in the user session by

> double clik it works, but not by gpo)

>

> thanks can you explain where i make a mistake if i want that a specific

> script apply when user connect on tse

>

> good days nicolas

Guest nicolas29

Guest nicolas29

Posted
Posted

RE: Loopback process doesn't work

 

thanks you too

 

before restarting my server (because it is in production), can you just

confime me where i does put the special script for a user logon on the tse ?

on the GPO who have the loopback parameter modify or on a new gpo

 

and on which section (user or computer configuration ):

 

for me i think it is on a new gpo and on the user section, thanks for your

answers

 

nicolas

--

nt

 

 

"Morgan che(MSFT)" wrote:

> Dear Customer,

>

> Thanks for your posting here and Patrick Rouse and Bart Van's for your

> kind response.

>

> Please check the following:

>

> 1) Please check whether the Loopback setting and the logon script setting

> have been applied. You can run RSOP.MSC on the Terminal session to verify

> it.

>

> Note: RSOP is not availble on Windows 2000 computer. You can run the

> following command:

>

> GPRESULT /V >C:\gpresult.txt

>

> Please let me know the result.

>

> 2) As a test, please create a user account and put it in the same OU where

> the Terminal server locates. Please log on the Terminal server with this

> new the user to see if the script applies.

>

> 3) Please help collect a debugging mode of Userenv log.

>

> For detailed steps, please refer to:

>

> 221833 How to enable user environment debug logging in retail builds of

> Windows

> http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

>

> You can send the files to me at v-morche@microsoft.com (please include

> "41115895-Loopback process doesn't work" in the subject line).

>

> I am looking forward to your feedback. If anything is unclear, please be

> free to post back and I am happy to be of further assistance.

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

>

>

Guest Patrick Rouse

Guest Patrick Rouse

Posted
Posted

RE: Loopback process doesn't work

 

The GPOs are set in the user GPO, so you can have different logon/logoff

scripts based upon group membership (as you can have different user GPOs on

the same OU). Settings in the machine/computer GPO apply to everyone.

 

--

Patrick C. Rouse

Microsoft MVP - Terminal Server

Provision Networks VIP

Citrix Technology Professional

President - Session Computing Solutions, LLC

http://www.sessioncomputing.com

 

 

 

"nicolas29" wrote:

> thanks you too

>

> before restarting my server (because it is in production), can you just

> confime me where i does put the special script for a user logon on the tse ?

> on the GPO who have the loopback parameter modify or on a new gpo

>

> and on which section (user or computer configuration ):

>

> for me i think it is on a new gpo and on the user section, thanks for your

> answers

>

> nicolas

> --

> nt

>

>

> "Morgan che(MSFT)" wrote:

>

> > Dear Customer,

> >

> > Thanks for your posting here and Patrick Rouse and Bart Van's for your

> > kind response.

> >

> > Please check the following:

> >

> > 1) Please check whether the Loopback setting and the logon script setting

> > have been applied. You can run RSOP.MSC on the Terminal session to verify

> > it.

> >

> > Note: RSOP is not availble on Windows 2000 computer. You can run the

> > following command:

> >

> > GPRESULT /V >C:\gpresult.txt

> >

> > Please let me know the result.

> >

> > 2) As a test, please create a user account and put it in the same OU where

> > the Terminal server locates. Please log on the Terminal server with this

> > new the user to see if the script applies.

> >

> > 3) Please help collect a debugging mode of Userenv log.

> >

> > For detailed steps, please refer to:

> >

> > 221833 How to enable user environment debug logging in retail builds of

> > Windows

> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

> >

> > You can send the files to me at v-morche@microsoft.com (please include

> > "41115895-Loopback process doesn't work" in the subject line).

> >

> > I am looking forward to your feedback. If anything is unclear, please be

> > free to post back and I am happy to be of further assistance.

> >

> > Sincerely

> > Morgan Che

> > Microsoft Online Support

> > Microsoft Global Technical Support Center

> >

> > Get Secure! - http://www.microsoft.com/security

> > =====================================================

> > When responding to posts, please "Reply to Group" via your newsreader so

> > that others may learn and benefit from your issue.

> > =====================================================

> > This posting is provided "AS IS" with no warranties, and confers no rights.

> >

> >

> >

Guest nicolas29

Guest nicolas29

Posted
Posted

RE: Loopback process doesn't work

 

as i cannot restart my server, i m testing on a vm machine, before

 

i give you feedback soon

 

thanks nicolas

--

nt

 

 

"Patrick Rouse" wrote:

> The GPOs are set in the user GPO, so you can have different logon/logoff

> scripts based upon group membership (as you can have different user GPOs on

> the same OU). Settings in the machine/computer GPO apply to everyone.

>

> --

> Patrick C. Rouse

> Microsoft MVP - Terminal Server

> Provision Networks VIP

> Citrix Technology Professional

> President - Session Computing Solutions, LLC

> http://www.sessioncomputing.com

>

>

>

> "nicolas29" wrote:

>

> > thanks you too

> >

> > before restarting my server (because it is in production), can you just

> > confime me where i does put the special script for a user logon on the tse ?

> > on the GPO who have the loopback parameter modify or on a new gpo

> >

> > and on which section (user or computer configuration ):

> >

> > for me i think it is on a new gpo and on the user section, thanks for your

> > answers

> >

> > nicolas

> > --

> > nt

> >

> >

> > "Morgan che(MSFT)" wrote:

> >

> > > Dear Customer,

> > >

> > > Thanks for your posting here and Patrick Rouse and Bart Van's for your

> > > kind response.

> > >

> > > Please check the following:

> > >

> > > 1) Please check whether the Loopback setting and the logon script setting

> > > have been applied. You can run RSOP.MSC on the Terminal session to verify

> > > it.

> > >

> > > Note: RSOP is not availble on Windows 2000 computer. You can run the

> > > following command:

> > >

> > > GPRESULT /V >C:\gpresult.txt

> > >

> > > Please let me know the result.

> > >

> > > 2) As a test, please create a user account and put it in the same OU where

> > > the Terminal server locates. Please log on the Terminal server with this

> > > new the user to see if the script applies.

> > >

> > > 3) Please help collect a debugging mode of Userenv log.

> > >

> > > For detailed steps, please refer to:

> > >

> > > 221833 How to enable user environment debug logging in retail builds of

> > > Windows

> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

> > >

> > > You can send the files to me at v-morche@microsoft.com (please include

> > > "41115895-Loopback process doesn't work" in the subject line).

> > >

> > > I am looking forward to your feedback. If anything is unclear, please be

> > > free to post back and I am happy to be of further assistance.

> > >

> > > Sincerely

> > > Morgan Che

> > > Microsoft Online Support

> > > Microsoft Global Technical Support Center

> > >

> > > Get Secure! - http://www.microsoft.com/security

> > > =====================================================

> > > When responding to posts, please "Reply to Group" via your newsreader so

> > > that others may learn and benefit from your issue.

> > > =====================================================

> > > This posting is provided "AS IS" with no warranties, and confers no rights.

> > >

> > >

> > >

Guest Morgan che

Guest Morgan che

Posted
Posted

RE: Loopback process doesn't work

 

Dear Customer,

 

Thank you for your e-mail, and I appreciate that you take the time to

collect the information.

 

When viewing your log files and the captured screen, I noticed it's not a

English version Windows Operation System.

 

As this issue needs specific analysis on log files, I would like to suggest

that you post the problem in the appropriate newsgroup to ensure that you

are best served by the most suitable engineers. Also, the engineers there

are experienced in troubleshooting localized version products. I believe

that the problem will be resolved soon. Although we would try our best to

assist you here, for support for localized versions it would be best to use

the support resources appropriate to that language.

 

(For example, for French version of Windows Terminal issues, you may post

in microsoft.public.fr.windows.server.terminalserver.)

Thanks for your understanding.

 

Anyway, I am also happy to share some basic suggestion based on the English

part of the information you help collected.

 

After I view your userenv log and gpresult text, my investigation is as

below:

 

The user FC applied Logon scripts of OCA ITINERANT Group Policy instead of

what you expected. Additionally, I haven't found any records about loopback

Group Policy.

 

So, I would suggest you to directly change the registry key to enable Group

Policy Loopback on your Terminal server:

 

Key Name: HKLM\Software\Policies\Microsoft\Windows\System

Value Name: UserPolicyMode

 

0 - Normal Mode (no loopback)

1 - Merge Mode

2 - Replace Mode

 

For the difference between Merge Mode and replace Mode, I also list here

for your reference:

 

Merge Mode:

In this mode, when the user logs on, the user's list of GPOs is typically

gathered by using the GetGPOList function. The GetGPOList function is then

called again by using the computer's location in Active Directory. The list

of GPOs for the computer is then added to the end of the GPOs for the user.

This causes the computer's GPOs to have higher precedence than the user's

GPOs. In this example, the list of GPOs for the computer is added to the

user's list.

 

 

Replace Mode:

In this mode, the user's list of GPOs is not gathered. Only the list of

GPOs based on the computer object is used.

 

I hope this helps. Have a good day!

 

Thanks and regards,

 

Morgan Che

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Guest nicolas29

Guest nicolas29

Posted
Posted

RE: Loopback process doesn't work

 

salut

 

thanks for your answers, it was very usefull

 

i make it on my test server, and it works

 

 

thanks a lot

 

--

nt

 

 

"Morgan che(MSFT)" wrote:

> Dear Customer,

>

> Thank you for your e-mail, and I appreciate that you take the time to

> collect the information.

>

> When viewing your log files and the captured screen, I noticed it's not a

> English version Windows Operation System.

>

> As this issue needs specific analysis on log files, I would like to suggest

> that you post the problem in the appropriate newsgroup to ensure that you

> are best served by the most suitable engineers. Also, the engineers there

> are experienced in troubleshooting localized version products. I believe

> that the problem will be resolved soon. Although we would try our best to

> assist you here, for support for localized versions it would be best to use

> the support resources appropriate to that language.

>

> (For example, for French version of Windows Terminal issues, you may post

> in microsoft.public.fr.windows.server.terminalserver.)

> Thanks for your understanding.

>

> Anyway, I am also happy to share some basic suggestion based on the English

> part of the information you help collected.

>

> After I view your userenv log and gpresult text, my investigation is as

> below:

>

> The user FC applied Logon scripts of OCA ITINERANT Group Policy instead of

> what you expected. Additionally, I haven't found any records about loopback

> Group Policy.

>

> So, I would suggest you to directly change the registry key to enable Group

> Policy Loopback on your Terminal server:

>

> Key Name: HKLM\Software\Policies\Microsoft\Windows\System

> Value Name: UserPolicyMode

>

> 0 - Normal Mode (no loopback)

> 1 - Merge Mode

> 2 - Replace Mode

>

> For the difference between Merge Mode and replace Mode, I also list here

> for your reference:

>

> Merge Mode:

> In this mode, when the user logs on, the user's list of GPOs is typically

> gathered by using the GetGPOList function. The GetGPOList function is then

> called again by using the computer's location in Active Directory. The list

> of GPOs for the computer is then added to the end of the GPOs for the user.

> This causes the computer's GPOs to have higher precedence than the user's

> GPOs. In this example, the list of GPOs for the computer is added to the

> user's list.

>

>

> Replace Mode:

> In this mode, the user's list of GPOs is not gathered. Only the list of

> GPOs based on the computer object is used.

>

> I hope this helps. Have a good day!

>

> Thanks and regards,

>

> Morgan Che

>

> Sincerely

> Morgan Che

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - http://www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

>

>

Guest Morgan che

Guest Morgan che

Posted
Posted

RE: Loopback process doesn't work

 

 

Dear Customer,

 

Thanks for your feedback, and I am glad to hear this issue has been solved.

 

Hope you have a nice day!

 

Best wishes

 

Sincerely

Morgan Che

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 Share
Go to topic listing
×
×
  • Create New...