No Computer Settings for TS group policy

[Guest Noncentz]

Morning,

 

I am trying to lockdown the desktop on my terminal servers via a GPO called

Terminal Services Lockdown. I used this guide mainly to get find what I

needed. The gpo is applied to the 2 TS servers as well as a TS user group.

When I log in a testuser I run gpresult and find that my computer settings

are not applying but the user settings are. Any thoughts??

 

http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

 

Also I remember there being a white paper out about GPO on Terminal

services, anyone know of this??

 

----------------my gpresults from testuser

Microsoft ® Windows ® Operating System Group Policy Result tool v2.0

Copyright © Microsoft Corp. 1981-2001

 

Created On 6/4/2008 at 8:22:59 AM

 

 

 

RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode

------------------------------------------------------------

 

OS Type: Microsoft® Windows® Server 2003, Enterprise

Edition

OS Configuration: Member Server

OS Version: 5.2.3790

Terminal Server Mode: Application Server

Site Name: N/A

Roaming Profile:

Local Profile: C:\Documents and Settings\testuser

Connected over a slow link?: No

 

 

USER SETTINGS

--------------

CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local

Last time Group Policy was applied: 6/4/2008 at 8:22:21 AM

Group Policy was applied from:

Group Policy slow link threshold: 500 kbps

Domain Name:

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

McCoy Wireless LAN Policy

Terminal Services Lockdown

Default Domain Policy

Local Group Policy

 

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Small Business Server Remote Assistance Policy

Filtering: Disabled (GPO)

 

Small Business Server Internet Connection Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PreSP2

 

Small Business Server - Windows Vista policy

Filtering: Denied (WMI Filter)

WMI Filter: Vista

 

Small Business Server Client Computer

Filtering: Not Applied (Empty)

 

Small Business Server Domain Password Policy

Filtering: Not Applied (Empty)

 

Small Business Server Windows Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PostSP2

 

EnlightenUsers

Filtering: Not Applied (Empty)

 

Small Business Server Lockout Policy

Filtering: Disabled (GPO)

 

WSUS Client Policy

Filtering: Denied (Security)

 

The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

Remote Desktop Users

BUILTIN\Users

REMOTE INTERACTIVE LOGON

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Wireless Users

Prophet21_Users

CERTSVC_DCOM_ACCESS

[Guest Vera Noest [MVP]]

Re: No Computer Settings for TS group policy

 

Are the TS machine accounts added to the security filtering of the

GPO?

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>

wrote on 05 jun 2008 in

microsoft.public.windows.terminal_services:

> Morning,

>

> I am trying to lockdown the desktop on my terminal servers via a

> GPO called Terminal Services Lockdown. I used this guide mainly

> to get find what I needed. The gpo is applied to the 2 TS

> servers as well as a TS user group. When I log in a testuser I

> run gpresult and find that my computer settings are not applying

> but the user settings are. Any thoughts??

>

> http://www.msterminalservices.org/articles/Managing-Terminal-Serv

> ices-Group-Policy.html

>

> Also I remember there being a white paper out about GPO on

> Terminal services, anyone know of this??

>

> ----------------my gpresults from testuser

> Microsoft ® Windows ® Operating System Group Policy Result

> tool v2.0 Copyright © Microsoft Corp. 1981-2001

>

> Created On 6/4/2008 at 8:22:59 AM

>

>

>

> RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode

> ------------------------------------------------------------

>

> OS Type: Microsoft® Windows® Server

> 2003, Enterprise Edition

> OS Configuration: Member Server

> OS Version: 5.2.3790

> Terminal Server Mode: Application Server

> Site Name: N/A

> Roaming Profile:

> Local Profile: C:\Documents and Settings\testuser

> Connected over a slow link?: No

>

>

> USER SETTINGS

> --------------

> CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,

> DC=local Last time Group Policy was applied: 6/4/2008 at

> 8:22:21 AM Group Policy was applied from:

> Group Policy slow link threshold: 500 kbps

> Domain Name:

> Domain Type: Windows 2000

>

> Applied Group Policy Objects

> -----------------------------

> McCoy Wireless LAN Policy

> Terminal Services Lockdown

> Default Domain Policy

> Local Group Policy

>

> The following GPOs were not applied because they were

> filtered out

> -------------------------------------------------------------

> ------

> Small Business Server Remote Assistance Policy

> Filtering: Disabled (GPO)

>

> Small Business Server Internet Connection Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PreSP2

>

> Small Business Server - Windows Vista policy

> Filtering: Denied (WMI Filter)

> WMI Filter: Vista

>

> Small Business Server Client Computer

> Filtering: Not Applied (Empty)

>

> Small Business Server Domain Password Policy

> Filtering: Not Applied (Empty)

>

> Small Business Server Windows Firewall

> Filtering: Denied (WMI Filter)

> WMI Filter: PostSP2

>

> EnlightenUsers

> Filtering: Not Applied (Empty)

>

> Small Business Server Lockout Policy

> Filtering: Disabled (GPO)

>

> WSUS Client Policy

> Filtering: Denied (Security)

>

> The user is a part of the following security groups

> ---------------------------------------------------

> Domain Users

> Everyone

> Remote Desktop Users

> BUILTIN\Users

> REMOTE INTERACTIVE LOGON

> NT AUTHORITY\INTERACTIVE

> NT AUTHORITY\Authenticated Users

> This Organization

> LOCAL

> Wireless Users

> Prophet21_Users

> CERTSVC_DCOM_ACCESS

[Guest Noncentz]

Re: No Computer Settings for TS group policy

 

Yes, currently I have 2 TS servers in the gpo applying the group policy with

full control. I also have some admin accounts denying the gpo.

 

When I log in as an administrator I can see the computer settings but not as

a domain user. These are my current settings for the GPO

 

------------------------------------------------------

Terminal Services Lockdown

Data collected on: 6/6/2008 8:35:14 AM show all

 

Generalhide

Detailsshow

Domain mccoysales.local

Owner Company1\Domain Admins

Created 6/3/2008 9:36:04 AM

Modified 6/6/2008 8:30:02 AM

User Revisions 1 (AD), 1 (sysvol)

Computer Revisions 26 (AD), 26 (sysvol)

Unique ID {D9873791-6759-4AC3-8D1E-71A6E5129E16}

GPO Status Enabled

 

Linksshow

Location Enforced Link Status Path

Company1 Yes Enabled Company1.local

 

This list only includes links in the domain of the GPO.

Security Filteringshow

The settings in this GPO can only apply to the following groups, users, and

computers:Name

MCCOYSALES\Enterprise Admins

MCCOYSALES\MCSVR03$

MCCOYSALES\MCSVR04$

NT AUTHORITY\Authenticated Users

 

WMI Filteringshow

WMI Filter Name None

Description Not applicable

 

Delegationshow

These groups and users have the specified permission for this GPOName

Allowed Permissions Inherited

MCCOYSALES\Admin2 Custom No

MCCOYSALES\Enterprise Admins Read (from Security Filtering) No

MCCOYSALES\Terminal03$ Edit settings, delete, modify security No

MCCOYSALES\Terminal04$ Edit settings, delete, modify security No

MCCOYSALES\Admin1 Custom No

NT AUTHORITY\Authenticated Users Custom No

NT AUTHORITY\SYSTEM Custom No

 

Computer Configuration (Enabled)hide

Administrative Templateshide

System/Group Policyhide

Policy Setting

User Group Policy loopback processing mode Enabled

Mode: Replace

 

 

System/User Profileshide

Policy Setting

Add the Administrators security group to roaming user profiles Enabled

Delete cached copies of roaming profiles Enabled

 

Windows Components/Internet Explorer/Internet Control Panel/Advanced Pagehide

Policy Setting

Automatically check for Internet Explorer updates Disabled

Empty Temporary Internet Files folder when browser is closed Enabled

Play animations in web pages Disabled

Play sounds in web pages Disabled

Play videos in web pages Disabled

 

Windows Components/Terminal Serviceshide

Policy Setting

Enforce Removal of Remote Desktop Wallpaper Enabled

Limit number of connections Enabled

TS Maximum Connections allowed 1

Type 999999 for unlimited connections.

 

Policy Setting

Remove Disconnect option from Shut Down dialog Enabled

Remove Windows Security item from Start menu Enabled

Restrict Terminal Services users to a single remote session Enabled

Set path for TS Roaming Profiles Enabled

Profile path \\mcsvr01\TSProfiles

Specify the path in the form, \\Computername\Sharename

Do not append the user name to the profile path. Disabled

 

Policy Setting

Set the Terminal Server licensing mode Enabled

Specify the licensing mode for the terminal server. Per User

 

Policy Setting

Sets rules for remote control of Terminal Services user sessions Enabled

Options: Full Control without user's permission

 

 

Windows Components/Terminal Services/Client/Server data redirectionhide

Policy Setting

Allow audio redirection Disabled

Allow Time Zone Redirection Enabled

Do not allow COM port redirection Enabled

Do not allow LPT port redirection Enabled

Terminal Server Fallback Printer Driver Behavior Enabled

When Attempting to Find a Suitable Driver: Default to PCL if one is not

found.

 

 

Windows Components/Terminal Services/Sessionshide

Policy Setting

Set time limit for disconnected sessions Enabled

End a disconnected session 30 minutes

 

Policy Setting

Terminate session when time limits are reached Enabled

 

User Configuration (Enabled)hide

Windows Settingshide

Folder Redirectionhide

My Documentsshow

Setting: Basic (Redirect everyone's folder to the same location)show

Path: \\%HOMESHARE%%HOMEPATH%

Optionsshow

Grant user exclusive rights to My Documents Enabled

Move the contents of My Documents to the new location Enabled

Policy Removal Behavior Leave contents

 

 

"Vera Noest [MVP]" wrote:

> Are the TS machine accounts added to the security filtering of the

> GPO?

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>

> wrote on 05 jun 2008 in

> microsoft.public.windows.terminal_services:

>

> > Morning,

> >

> > I am trying to lockdown the desktop on my terminal servers via a

> > GPO called Terminal Services Lockdown. I used this guide mainly

> > to get find what I needed. The gpo is applied to the 2 TS

> > servers as well as a TS user group. When I log in a testuser I

> > run gpresult and find that my computer settings are not applying

> > but the user settings are. Any thoughts??

> >

> > http://www.msterminalservices.org/articles/Managing-Terminal-Serv

> > ices-Group-Policy.html

> >

> > Also I remember there being a white paper out about GPO on

> > Terminal services, anyone know of this??

> >

> > ----------------my gpresults from testuser

> > Microsoft ® Windows ® Operating System Group Policy Result

> > tool v2.0 Copyright © Microsoft Corp. 1981-2001

> >

> > Created On 6/4/2008 at 8:22:59 AM

> >

> >

> >

> > RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode

> > ------------------------------------------------------------

> >

> > OS Type: Microsoft® Windows® Server

> > 2003, Enterprise Edition

> > OS Configuration: Member Server

> > OS Version: 5.2.3790

> > Terminal Server Mode: Application Server

> > Site Name: N/A

> > Roaming Profile:

> > Local Profile: C:\Documents and Settings\testuser

> > Connected over a slow link?: No

> >

> >

> > USER SETTINGS

> > --------------

> > CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,

> > DC=local Last time Group Policy was applied: 6/4/2008 at

> > 8:22:21 AM Group Policy was applied from:

> > Group Policy slow link threshold: 500 kbps

> > Domain Name:

> > Domain Type: Windows 2000

> >

> > Applied Group Policy Objects

> > -----------------------------

> > McCoy Wireless LAN Policy

> > Terminal Services Lockdown

> > Default Domain Policy

> > Local Group Policy

> >

> > The following GPOs were not applied because they were

> > filtered out

> > -------------------------------------------------------------

> > ------

> > Small Business Server Remote Assistance Policy

> > Filtering: Disabled (GPO)

> >

> > Small Business Server Internet Connection Firewall

> > Filtering: Denied (WMI Filter)

> > WMI Filter: PreSP2

> >

> > Small Business Server - Windows Vista policy

> > Filtering: Denied (WMI Filter)

> > WMI Filter: Vista

> >

> > Small Business Server Client Computer

> > Filtering: Not Applied (Empty)

> >

> > Small Business Server Domain Password Policy

> > Filtering: Not Applied (Empty)

> >

> > Small Business Server Windows Firewall

> > Filtering: Denied (WMI Filter)

> > WMI Filter: PostSP2

> >

> > EnlightenUsers

> > Filtering: Not Applied (Empty)

> >

> > Small Business Server Lockout Policy

> > Filtering: Disabled (GPO)

> >

> > WSUS Client Policy

> > Filtering: Denied (Security)

> >

> > The user is a part of the following security groups

> > ---------------------------------------------------

> > Domain Users

> > Everyone

> > Remote Desktop Users

> > BUILTIN\Users

> > REMOTE INTERACTIVE LOGON

> > NT AUTHORITY\INTERACTIVE

> > NT AUTHORITY\Authenticated Users

> > This Organization

> > LOCAL

> > Wireless Users

> > Prophet21_Users

> > CERTSVC_DCOM_ACCESS

>

[Guest Vera Noest [MVP]]

Re: No Computer Settings for TS group policy

 

Run a Resultant Set of Policies for a normal user and a TS. Musat

be something in the permissions, maybe this:

> NT AUTHORITY\Authenticated Users Custom No

 

I'd also post in the group_policy newsgroup, you'll probably get

better help there.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>

wrote on 06 jun 2008 in

microsoft.public.windows.terminal_services:

> Yes, currently I have 2 TS servers in the gpo applying the group

> policy with full control. I also have some admin accounts

> denying the gpo.

>

> When I log in as an administrator I can see the computer

> settings but not as a domain user. These are my current settings

> for the GPO

>

> ------------------------------------------------------

> Terminal Services Lockdown

> Data collected on: 6/6/2008 8:35:14 AM show all

>

> Generalhide

> Detailsshow

> Domain mccoysales.local

> Owner Company1\Domain Admins

> Created 6/3/2008 9:36:04 AM

> Modified 6/6/2008 8:30:02 AM

> User Revisions 1 (AD), 1 (sysvol)

> Computer Revisions 26 (AD), 26 (sysvol)

> Unique ID {D9873791-6759-4AC3-8D1E-71A6E5129E16}

> GPO Status Enabled

>

> Linksshow

> Location Enforced Link Status Path

> Company1 Yes Enabled Company1.local

>

> This list only includes links in the domain of the GPO.

> Security Filteringshow

> The settings in this GPO can only apply to the following groups,

> users, and computers:Name

> MCCOYSALES\Enterprise Admins

> MCCOYSALES\MCSVR03$

> MCCOYSALES\MCSVR04$

> NT AUTHORITY\Authenticated Users

>

> WMI Filteringshow

> WMI Filter Name None

> Description Not applicable

>

> Delegationshow

> These groups and users have the specified permission for this

> GPOName Allowed Permissions Inherited

> MCCOYSALES\Admin2 Custom No

> MCCOYSALES\Enterprise Admins Read (from Security Filtering) No

> MCCOYSALES\Terminal03$ Edit settings, delete, modify security No

> MCCOYSALES\Terminal04$ Edit settings, delete, modify security No

> MCCOYSALES\Admin1 Custom No

> NT AUTHORITY\Authenticated Users Custom No

> NT AUTHORITY\SYSTEM Custom No

>

> Computer Configuration (Enabled)hide

> Administrative Templateshide

> System/Group Policyhide

> Policy Setting

> User Group Policy loopback processing mode Enabled

> Mode: Replace

>

>

> System/User Profileshide

> Policy Setting

> Add the Administrators security group to roaming user profiles

> Enabled Delete cached copies of roaming profiles Enabled

>

> Windows Components/Internet Explorer/Internet Control

> Panel/Advanced Pagehide Policy Setting

> Automatically check for Internet Explorer updates Disabled

> Empty Temporary Internet Files folder when browser is closed

> Enabled Play animations in web pages Disabled

> Play sounds in web pages Disabled

> Play videos in web pages Disabled

>

> Windows Components/Terminal Serviceshide

> Policy Setting

> Enforce Removal of Remote Desktop Wallpaper Enabled

> Limit number of connections Enabled

> TS Maximum Connections allowed 1

> Type 999999 for unlimited connections.

>

> Policy Setting

> Remove Disconnect option from Shut Down dialog Enabled

> Remove Windows Security item from Start menu Enabled

> Restrict Terminal Services users to a single remote session

> Enabled Set path for TS Roaming Profiles Enabled

> Profile path \\mcsvr01\TSProfiles

> Specify the path in the form, \\Computername\Sharename

> Do not append the user name to the profile path. Disabled

>

> Policy Setting

> Set the Terminal Server licensing mode Enabled

> Specify the licensing mode for the terminal server. Per User

>

> Policy Setting

> Sets rules for remote control of Terminal Services user sessions

> Enabled Options: Full Control without user's permission

>

>

> Windows Components/Terminal Services/Client/Server data

> redirectionhide Policy Setting

> Allow audio redirection Disabled

> Allow Time Zone Redirection Enabled

> Do not allow COM port redirection Enabled

> Do not allow LPT port redirection Enabled

> Terminal Server Fallback Printer Driver Behavior Enabled

> When Attempting to Find a Suitable Driver: Default to PCL if one

> is not found.

>

>

> Windows Components/Terminal Services/Sessionshide

> Policy Setting

> Set time limit for disconnected sessions Enabled

> End a disconnected session 30 minutes

>

> Policy Setting

> Terminate session when time limits are reached Enabled

>

> User Configuration (Enabled)hide

> Windows Settingshide

> Folder Redirectionhide

> My Documentsshow

> Setting: Basic (Redirect everyone's folder to the same

> location)show Path: \\%HOMESHARE%%HOMEPATH%

> Optionsshow

> Grant user exclusive rights to My Documents Enabled

> Move the contents of My Documents to the new location Enabled

> Policy Removal Behavior Leave contents

>

>

> "Vera Noest [MVP]" wrote:

>

>> Are the TS machine accounts added to the security filtering of

>> the GPO?

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>

>> wrote on 05 jun 2008 in

>> microsoft.public.windows.terminal_services:

>>

>> > Morning,

>> >

>> > I am trying to lockdown the desktop on my terminal servers

>> > via a GPO called Terminal Services Lockdown. I used this

>> > guide mainly to get find what I needed. The gpo is applied to

>> > the 2 TS servers as well as a TS user group. When I log in a

>> > testuser I run gpresult and find that my computer settings

>> > are not applying but the user settings are. Any thoughts??

>> >

>> > http://www.msterminalservices.org/articles/Managing-Terminal-S

>> > erv ices-Group-Policy.html

>> >

>> > Also I remember there being a white paper out about GPO on

>> > Terminal services, anyone know of this??

>> >

>> > ----------------my gpresults from testuser

>> > Microsoft ® Windows ® Operating System Group Policy

>> > Result tool v2.0 Copyright © Microsoft Corp. 1981-2001

>> >

>> > Created On 6/4/2008 at 8:22:59 AM

>> >

>> >

>> >

>> > RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode

>> > ------------------------------------------------------------

>> >

>> > OS Type: Microsoft® Windows® Server

>> > 2003, Enterprise Edition

>> > OS Configuration: Member Server

>> > OS Version: 5.2.3790

>> > Terminal Server Mode: Application Server

>> > Site Name: N/A

>> > Roaming Profile:

>> > Local Profile: C:\Documents and

>> > Settings\testuser Connected over a slow link?: No

>> >

>> >

>> > USER SETTINGS

>> > --------------

>> > CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysal

>> > es, DC=local Last time Group Policy was applied: 6/4/2008

>> > at 8:22:21 AM Group Policy was applied from:

>> > Group Policy slow link threshold: 500 kbps

>> > Domain Name:

>> > Domain Type: Windows 2000

>> >

>> > Applied Group Policy Objects

>> > -----------------------------

>> > McCoy Wireless LAN Policy

>> > Terminal Services Lockdown

>> > Default Domain Policy

>> > Local Group Policy

>> >

>> > The following GPOs were not applied because they were

>> > filtered out

>> > ----------------------------------------------------------

>> > --- ------

>> > Small Business Server Remote Assistance Policy

>> > Filtering: Disabled (GPO)

>> >

>> > Small Business Server Internet Connection Firewall

>> > Filtering: Denied (WMI Filter)

>> > WMI Filter: PreSP2

>> >

>> > Small Business Server - Windows Vista policy

>> > Filtering: Denied (WMI Filter)

>> > WMI Filter: Vista

>> >

>> > Small Business Server Client Computer

>> > Filtering: Not Applied (Empty)

>> >

>> > Small Business Server Domain Password Policy

>> > Filtering: Not Applied (Empty)

>> >

>> > Small Business Server Windows Firewall

>> > Filtering: Denied (WMI Filter)

>> > WMI Filter: PostSP2

>> >

>> > EnlightenUsers

>> > Filtering: Not Applied (Empty)

>> >

>> > Small Business Server Lockout Policy

>> > Filtering: Disabled (GPO)

>> >

>> > WSUS Client Policy

>> > Filtering: Denied (Security)

>> >

>> > The user is a part of the following security groups

>> > ---------------------------------------------------

>> > Domain Users

>> > Everyone

>> > Remote Desktop Users

>> > BUILTIN\Users

>> > REMOTE INTERACTIVE LOGON

>> > NT AUTHORITY\INTERACTIVE

>> > NT AUTHORITY\Authenticated Users

>> > This Organization

>> > LOCAL

>> > Wireless Users

>> > Prophet21_Users

>> > CERTSVC_DCOM_ACCESS

>>