Jump to content

Applying Group Policy to domain user on Terminal Server

Guest Luke Chalmers

By Guest Luke Chalmers
in Windows NT Server

 Share

Recommended Posts

Guest Luke Chalmers

Guest Luke Chalmers

Posted
Posted

Hello,

 

I am fairly new to setting up terminal services so I will try and explain

the problem as best I can.

 

I have setup a Windows 2003 Terminal Server and have built a group policy

for when users logon. The domain controller is on a Windows 2000 server. I am

not sure if this is the best way to do this but in Active Directory I have a

subfolder called 'Domain Controllers' and this contains the Windows 2000

server. When I right click on the 'domain controllers' and go to

properties>group policy I see 'default domain controllers policy'. This this

the group policy that is applied to domain users on the network.

 

Another organisational unit subfolder is called 'My Business' and then

subfolder in that called '[company name]. In the [company name] folder this

contains all the users in the company which log onto the domain.

 

Under 'my business' is another folder which I created called 'Terminal

Services'. If right click on that and go to properties and go to Group

policy, you find my group policy that I have configured for the Terminal

Server. In this folder you find the Terminal Server computer object and a

test user.

 

When the test user logs into the Terminal server the group policy is then

applied and they experience restrictive access.

 

 

How can I get a domain user in the from the 'company name' organisational

unit to log onto the TS with the group policy applied. In order to get this

to work I have to move them to the Terminal Services container and I don't

want to do that. I have created a group and added the group but when users of

that group log in the group policy does not apply.

 

I have granted the terminal services group permission to the group policy

just like my test user but only my test user works. I am not sure how to get

this working. How do other people set this up?

 

Sorry if this sounds waffly!

 

Cheers

 

Luke

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Applying Group Policy to domain user on Terminal Server

 

The solution to this problem is to use "loopback processing" of the

TS GPO:

 

1. place the Terminal Server (not the users!) in a separate OU

2. create a TS-specific GPO

3. configure the GPO to use "loopback processing" with the

"Replace" option (see KB 231287)

4. link the GPO to the OU which contains the Terminal Server

machine account

5. add the Terminal Server machine account to the security

list of the GPO

6. add a User group to the security list of the GPO (or keep

the default entry for "Authenticated Users" if you want the

settings in the GPO to apply to all users)

7. modify the rights for Administrators on the GPO: select

"Deny" for the right to "Apply this policy" (see KB 816100)

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?THVrZSBDaGFsbWVycw==?=

<LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008 in

microsoft.public.windows.terminal_services:

> Hello,

>

> I am fairly new to setting up terminal services so I will try

> and explain the problem as best I can.

>

> I have setup a Windows 2003 Terminal Server and have built a

> group policy for when users logon. The domain controller is on a

> Windows 2000 server. I am not sure if this is the best way to do

> this but in Active Directory I have a subfolder called 'Domain

> Controllers' and this contains the Windows 2000 server. When I

> right click on the 'domain controllers' and go to

> properties>group policy I see 'default domain controllers

> policy'. This this the group policy that is applied to domain

> users on the network.

>

> Another organisational unit subfolder is called 'My Business'

> and then subfolder in that called '[company name]. In the

> [company name] folder this contains all the users in the company

> which log onto the domain.

>

> Under 'my business' is another folder which I created called

> 'Terminal Services'. If right click on that and go to properties

> and go to Group policy, you find my group policy that I have

> configured for the Terminal Server. In this folder you find the

> Terminal Server computer object and a test user.

>

> When the test user logs into the Terminal server the group

> policy is then applied and they experience restrictive access.

>

>

> How can I get a domain user in the from the 'company name'

> organisational unit to log onto the TS with the group policy

> applied. In order to get this to work I have to move them to the

> Terminal Services container and I don't want to do that. I have

> created a group and added the group but when users of that group

> log in the group policy does not apply.

>

> I have granted the terminal services group permission to the

> group policy just like my test user but only my test user works.

> I am not sure how to get this working. How do other people set

> this up?

>

> Sorry if this sounds waffly!

>

> Cheers

>

> Luke

Guest Luke Chalmers

Guest Luke Chalmers

Posted
Posted

Re: Applying Group Policy to domain user on Terminal Server

 

Vera,

 

Thanks for your help on this. I am still a little stuck however as the GPO

is still not applying properly. I am glad you understood what I meant as I

was concerned that you may find my problem difficult to follow.

 

I just want to check the instructions that you sent.

 

1. place the Terminal Server (not the users!) in a separate OU

 

DONE! This OU is called Terminal Services

 

2. create a TS-specific GPO

 

DONE! This is called TS-GPO

 

3. configure the GPO to use "loopback processing" with the

"Replace" option (see KB 231287)

 

DONE! Read this with interest and I guess this needs to be applied to the

TS-GPO and not the local GPO on the Terminal Server

 

4. link the GPO to the OU which contains the Terminal Server

machine account

 

DONE! What do you mean exactly by Terminal Server machine 'account'? If I

right click on the Terminal Services OU and go to properties the group policy

is in there under the group policy tab.

 

5. add the Terminal Server machine account to the security

list of the GPO

 

If I right click on the Terminal Services OU>properties>group policy>select

the group policy and then click properties. Then select the security tab. The

Terminal Server computer is in this list along with my test users and

Terminal Server User group. What permissions should the machine have exactly?

I also have the domain admin group with deny rights in here. This relates to

point 7.

 

6. add a User group to the security list of the GPO (or keep

the default entry for "Authenticated Users" if you want the

settings in the GPO to apply to all users)

 

DONE! as above the Terminal Server user group is in the security list with

read, write, create, delete and apply rights enabled. Same as my test user

which works

 

When I log in with a user who is a member of the Terminal Server Users group

the GPO does not apply itself.

 

In active directory under the Terminal Server OU I have the computer of the

TS and the test user. Should my Terminal Server user group be in there as

well because it is at present!

 

Many thanks for your help on this Vera!

 

Luke

 

 

"Vera Noest [MVP]" wrote:

> The solution to this problem is to use "loopback processing" of the

> TS GPO:

>

> 1. place the Terminal Server (not the users!) in a separate OU

> 2. create a TS-specific GPO

> 3. configure the GPO to use "loopback processing" with the

> "Replace" option (see KB 231287)

> 4. link the GPO to the OU which contains the Terminal Server

> machine account

> 5. add the Terminal Server machine account to the security

> list of the GPO

> 6. add a User group to the security list of the GPO (or keep

> the default entry for "Authenticated Users" if you want the

> settings in the GPO to apply to all users)

> 7. modify the rights for Administrators on the GPO: select

> "Deny" for the right to "Apply this policy" (see KB 816100)

>

> 231287 - Loopback Processing of Group Policy

> http://support.microsoft.com/?kbid=231287

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=

> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008 in

> microsoft.public.windows.terminal_services:

>

> > Hello,

> >

> > I am fairly new to setting up terminal services so I will try

> > and explain the problem as best I can.

> >

> > I have setup a Windows 2003 Terminal Server and have built a

> > group policy for when users logon. The domain controller is on a

> > Windows 2000 server. I am not sure if this is the best way to do

> > this but in Active Directory I have a subfolder called 'Domain

> > Controllers' and this contains the Windows 2000 server. When I

> > right click on the 'domain controllers' and go to

> > properties>group policy I see 'default domain controllers

> > policy'. This this the group policy that is applied to domain

> > users on the network.

> >

> > Another organisational unit subfolder is called 'My Business'

> > and then subfolder in that called '[company name]. In the

> > [company name] folder this contains all the users in the company

> > which log onto the domain.

> >

> > Under 'my business' is another folder which I created called

> > 'Terminal Services'. If right click on that and go to properties

> > and go to Group policy, you find my group policy that I have

> > configured for the Terminal Server. In this folder you find the

> > Terminal Server computer object and a test user.

> >

> > When the test user logs into the Terminal server the group

> > policy is then applied and they experience restrictive access.

> >

> >

> > How can I get a domain user in the from the 'company name'

> > organisational unit to log onto the TS with the group policy

> > applied. In order to get this to work I have to move them to the

> > Terminal Services container and I don't want to do that. I have

> > created a group and added the group but when users of that group

> > log in the group policy does not apply.

> >

> > I have granted the terminal services group permission to the

> > group policy just like my test user but only my test user works.

> > I am not sure how to get this working. How do other people set

> > this up?

> >

> > Sorry if this sounds waffly!

> >

> > Cheers

> >

> > Luke

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Applying Group Policy to domain user on Terminal Server

 

comments inline

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?THVrZSBDaGFsbWVycw==?=

<LukeChalmers@discussions.microsoft.com> wrote on 19 jun 2008 in

microsoft.public.windows.terminal_services:

> Vera,

>

> Thanks for your help on this. I am still a little stuck however

> as the GPO is still not applying properly. I am glad you

> understood what I meant as I was concerned that you may find my

> problem difficult to follow.

>

> I just want to check the instructions that you sent.

>

> 1. place the Terminal Server (not the users!) in a separate OU

> DONE! This OU is called Terminal Services

>

> 2. create a TS-specific GPO

> DONE! This is called TS-GPO

>

> 3. configure the GPO to use "loopback processing" with the

> "Replace" option (see KB 231287)

> DONE! Read this with interest and I guess this needs to be

> applied to the TS-GPO and not the local GPO on the Terminal

> Server

 

Correct

> 4. link the GPO to the OU which contains the Terminal Server

> machine account

>

> DONE! What do you mean exactly by Terminal Server machine

> 'account'? If I right click on the Terminal Services OU and go

> to properties the group policy is in there under the group

> policy tab.

 

The Terminal Server machine account is what you call the Terminal

Server computer, i.e. the object that you see in the Terminal

Services OU.

> 5. add the Terminal Server machine account to the security

> list of the GPO

>

> If I right click on the Terminal Services OU>properties>group

> policy>select the group policy and then click properties. Then

> select the security tab. The Terminal Server computer is in this

> list along with my test users and Terminal Server User group.

> What permissions should the machine have exactly? I also have

> the domain admin group with deny rights in here. This relates to

> point 7.

 

The default permissions (minimally read, write, apply)

> 6. add a User group to the security list of the GPO (or keep

> the default entry for "Authenticated Users" if you want the

> settings in the GPO to apply to all users)

> DONE! as above the Terminal Server user group is in the security

> list with read, write, create, delete and apply rights enabled.

> Same as my test user which works

>

> When I log in with a user who is a member of the Terminal Server

> Users group the GPO does not apply itself.

 

Strange, because it should. Did you run the command "gpupdate" on

the Terminal Server after adding the loopback setting?

If that doesn't help, run RSoP (Resultant Set of Policies) with the

TS as the computer and a normal user account, to see a list of the

policies which are applied.

 

One comment on your first post. You wrote:

> .. in Active Directory I have a subfolder

> called 'Domain Controllers' and this contains the Windows

> 2000 server. When I right click on the 'domain controllers'

> and go to properties>group policy I see 'default domain

> controllers policy'. This this the group policy that is

> applied to domain users on the network.

That's not completely true. The Default Domain Controller GPO is

applied to the DC.

You should have another GPO, linked to the domain, which is called

the Default Domain Policy. This GPO is applied to the whole domain,

and thus to all users.

> In active directory under the Terminal Server OU I have the

> computer of the TS and the test user. Should my Terminal Server

> user group be in there as well because it is at present!

 

Policies are applied to computers and/or users, not to security

groups. So putting the Terminal Server Users secuirty group in the

TS OU has no effect, and I wouldn't do it.

> Many thanks for your help on this Vera!

>

> Luke

>

>

> "Vera Noest [MVP]" wrote:

>

>> The solution to this problem is to use "loopback processing" of

>> the TS GPO:

>>

>> 1. place the Terminal Server (not the users!) in a separate OU

>> 2. create a TS-specific GPO

>> 3. configure the GPO to use "loopback processing" with the

>> "Replace" option (see KB 231287)

>> 4. link the GPO to the OU which contains the Terminal Server

>> machine account

>> 5. add the Terminal Server machine account to the security

>> list of the GPO

>> 6. add a User group to the security list of the GPO (or keep

>> the default entry for "Authenticated Users" if you want the

>> settings in the GPO to apply to all users)

>> 7. modify the rights for Administrators on the GPO: select

>> "Deny" for the right to "Apply this policy" (see KB 816100)

>>

>> 231287 - Loopback Processing of Group Policy

>> http://support.microsoft.com/?kbid=231287

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=

>> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008

>> in microsoft.public.windows.terminal_services:

>>

>> > Hello,

>> >

>> > I am fairly new to setting up terminal services so I will try

>> > and explain the problem as best I can.

>> >

>> > I have setup a Windows 2003 Terminal Server and have built a

>> > group policy for when users logon. The domain controller is

>> > on a Windows 2000 server. I am not sure if this is the best

>> > way to do this but in Active Directory I have a subfolder

>> > called 'Domain Controllers' and this contains the Windows

>> > 2000 server. When I right click on the 'domain controllers'

>> > and go to properties>group policy I see 'default domain

>> > controllers policy'. This this the group policy that is

>> > applied to domain users on the network.

>> >

>> > Another organisational unit subfolder is called 'My Business'

>> > and then subfolder in that called '[company name]. In the

>> > [company name] folder this contains all the users in the

>> > company which log onto the domain.

>> >

>> > Under 'my business' is another folder which I created called

>> > 'Terminal Services'. If right click on that and go to

>> > properties and go to Group policy, you find my group policy

>> > that I have configured for the Terminal Server. In this

>> > folder you find the Terminal Server computer object and a

>> > test user.

>> >

>> > When the test user logs into the Terminal server the group

>> > policy is then applied and they experience restrictive

>> > access.

>> >

>> >

>> > How can I get a domain user in the from the 'company name'

>> > organisational unit to log onto the TS with the group policy

>> > applied. In order to get this to work I have to move them to

>> > the Terminal Services container and I don't want to do that.

>> > I have created a group and added the group but when users of

>> > that group log in the group policy does not apply.

>> >

>> > I have granted the terminal services group permission to the

>> > group policy just like my test user but only my test user

>> > works. I am not sure how to get this working. How do other

>> > people set this up?

>> >

>> > Sorry if this sounds waffly!

>> >

>> > Cheers

>> >

>> > Luke

Guest Luke Chalmers

Guest Luke Chalmers

Posted
Posted

Re: Applying Group Policy to domain user on Terminal Server

 

I went through in the instructions again and had a little tinker and all is

well. I can't be certain what exactly was wrong but it is now working.

 

I think I was practically there but thanks for getting me to the end!

 

Last question, is there a straight forward way of publishing the Terminal

Server on the web.

 

I have read online about MSFT ISA server. Is this necessary or recommended?

 

Is there a guide online to configure IIS to get it online?

 

Many thanks,

 

Luke

 

"Vera Noest [MVP]" wrote:

> comments inline

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=

> <LukeChalmers@discussions.microsoft.com> wrote on 19 jun 2008 in

> microsoft.public.windows.terminal_services:

>

> > Vera,

> >

> > Thanks for your help on this. I am still a little stuck however

> > as the GPO is still not applying properly. I am glad you

> > understood what I meant as I was concerned that you may find my

> > problem difficult to follow.

> >

> > I just want to check the instructions that you sent.

> >

> > 1. place the Terminal Server (not the users!) in a separate OU

> > DONE! This OU is called Terminal Services

> >

> > 2. create a TS-specific GPO

> > DONE! This is called TS-GPO

> >

> > 3. configure the GPO to use "loopback processing" with the

> > "Replace" option (see KB 231287)

> > DONE! Read this with interest and I guess this needs to be

> > applied to the TS-GPO and not the local GPO on the Terminal

> > Server

>

> Correct

>

> > 4. link the GPO to the OU which contains the Terminal Server

> > machine account

> >

> > DONE! What do you mean exactly by Terminal Server machine

> > 'account'? If I right click on the Terminal Services OU and go

> > to properties the group policy is in there under the group

> > policy tab.

>

> The Terminal Server machine account is what you call the Terminal

> Server computer, i.e. the object that you see in the Terminal

> Services OU.

>

> > 5. add the Terminal Server machine account to the security

> > list of the GPO

> >

> > If I right click on the Terminal Services OU>properties>group

> > policy>select the group policy and then click properties. Then

> > select the security tab. The Terminal Server computer is in this

> > list along with my test users and Terminal Server User group.

> > What permissions should the machine have exactly? I also have

> > the domain admin group with deny rights in here. This relates to

> > point 7.

>

> The default permissions (minimally read, write, apply)

>

> > 6. add a User group to the security list of the GPO (or keep

> > the default entry for "Authenticated Users" if you want the

> > settings in the GPO to apply to all users)

> > DONE! as above the Terminal Server user group is in the security

> > list with read, write, create, delete and apply rights enabled.

> > Same as my test user which works

> >

> > When I log in with a user who is a member of the Terminal Server

> > Users group the GPO does not apply itself.

>

> Strange, because it should. Did you run the command "gpupdate" on

> the Terminal Server after adding the loopback setting?

> If that doesn't help, run RSoP (Resultant Set of Policies) with the

> TS as the computer and a normal user account, to see a list of the

> policies which are applied.

>

> One comment on your first post. You wrote:

> > .. in Active Directory I have a subfolder

> > called 'Domain Controllers' and this contains the Windows

> > 2000 server. When I right click on the 'domain controllers'

> > and go to properties>group policy I see 'default domain

> > controllers policy'. This this the group policy that is

> > applied to domain users on the network.

> That's not completely true. The Default Domain Controller GPO is

> applied to the DC.

> You should have another GPO, linked to the domain, which is called

> the Default Domain Policy. This GPO is applied to the whole domain,

> and thus to all users.

>

> > In active directory under the Terminal Server OU I have the

> > computer of the TS and the test user. Should my Terminal Server

> > user group be in there as well because it is at present!

>

> Policies are applied to computers and/or users, not to security

> groups. So putting the Terminal Server Users secuirty group in the

> TS OU has no effect, and I wouldn't do it.

>

> > Many thanks for your help on this Vera!

> >

> > Luke

> >

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> The solution to this problem is to use "loopback processing" of

> >> the TS GPO:

> >>

> >> 1. place the Terminal Server (not the users!) in a separate OU

> >> 2. create a TS-specific GPO

> >> 3. configure the GPO to use "loopback processing" with the

> >> "Replace" option (see KB 231287)

> >> 4. link the GPO to the OU which contains the Terminal Server

> >> machine account

> >> 5. add the Terminal Server machine account to the security

> >> list of the GPO

> >> 6. add a User group to the security list of the GPO (or keep

> >> the default entry for "Authenticated Users" if you want the

> >> settings in the GPO to apply to all users)

> >> 7. modify the rights for Administrators on the GPO: select

> >> "Deny" for the right to "Apply this policy" (see KB 816100)

> >>

> >> 231287 - Loopback Processing of Group Policy

> >> http://support.microsoft.com/?kbid=231287

> >>

> >> 816100 - How To Prevent Domain Group Policies from Applying to

> >> Administrator Accounts and Selected Users in Windows Server

> >> 2003 http://support.microsoft.com/?kbid=816100

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?THVrZSBDaGFsbWVycw==?=

> >> <LukeChalmers@discussions.microsoft.com> wrote on 18 jun 2008

> >> in microsoft.public.windows.terminal_services:

> >>

> >> > Hello,

> >> >

> >> > I am fairly new to setting up terminal services so I will try

> >> > and explain the problem as best I can.

> >> >

> >> > I have setup a Windows 2003 Terminal Server and have built a

> >> > group policy for when users logon. The domain controller is

> >> > on a Windows 2000 server. I am not sure if this is the best

> >> > way to do this but in Active Directory I have a subfolder

> >> > called 'Domain Controllers' and this contains the Windows

> >> > 2000 server. When I right click on the 'domain controllers'

> >> > and go to properties>group policy I see 'default domain

> >> > controllers policy'. This this the group policy that is

> >> > applied to domain users on the network.

> >> >

> >> > Another organisational unit subfolder is called 'My Business'

> >> > and then subfolder in that called '[company name]. In the

> >> > [company name] folder this contains all the users in the

> >> > company which log onto the domain.

> >> >

> >> > Under 'my business' is another folder which I created called

> >> > 'Terminal Services'. If right click on that and go to

> >> > properties and go to Group policy, you find my group policy

> >> > that I have configured for the Terminal Server. In this

> >> > folder you find the Terminal Server computer object and a

> >> > test user.

> >> >

> >> > When the test user logs into the Terminal server the group

> >> > policy is then applied and they experience restrictive

> >> > access.

> >> >

> >> >

> >> > How can I get a domain user in the from the 'company name'

> >> > organisational unit to log onto the TS with the group policy

> >> > applied. In order to get this to work I have to move them to

> >> > the Terminal Services container and I don't want to do that.

> >> > I have created a group and added the group but when users of

> >> > that group log in the group policy does not apply.

> >> >

> >> > I have granted the terminal services group permission to the

> >> > group policy just like my test user but only my test user

> >> > works. I am not sure how to get this working. How do other

> >> > people set this up?

> >> >

> >> > Sorry if this sounds waffly!

> >> >

> >> > Cheers

> >> >

> >> > Luke

>

 Share
Go to topic listing
×
×
  • Create New...