GPO not applying to user when only TS server is in Locked down OU.

[Guest]

Hi,

I have 2000 native domain. I cannot get GPO to work when users login to a
new 2003 TS server I setup and moved into its own OU. If I put the user into
the same OU as the server, then the GPO works as it should. I read the
whitepaper "locking down win2k3 terminal server sessions" . In the whitepaper
it snds like all you have to do is put the TS server in the Locked down OU
and everyone who logs in will get the GPO applied. Maybe it only works with a
2003 AD? I can't remember if users have to be in the OU that has the GPO
linked to it or just having the server in their is good enough.

thanks

 

[Herb Martin]

Hi,

I have 2000 native domain. I cannot get GPO to work when users login to a
new 2003 TS server I setup and moved into its own OU. If I put the user
into
the same OU as the server, then the GPO works as it should.

GPO settings for USERs are linked to the User OU and GPO settings for
Computers are linked to the Computer OU if you want them to work.

I read the
whitepaper "locking down win2k3 terminal server sessions" . In the
whitepaper
it snds like all you have to do is put the TS server in the Locked down OU
and everyone who logs in will get the GPO applied.

Yes, as far as the COMPUTER portion (top half) of that GPO is concerned but
not
the settings in the (lower half) User portion.

Maybe it only works with a
2003 AD? I can't remember if users have to be in the OU that has the GPO
linked to it or just having the server in their is good enough.

Depends on the portion of the settings you care about.

GPOs work almost exactly the same in 2003 as in 2000 (primarily with the
addition of WMI scripts in 2003).

You can however set a "loopback policy" in the Computer OU to get the
settings applied "As If" the user were in the same OU as the Computer.
(Domain and OU settings will be re-applied to the user based on the
Computer location.)

 

[Guest]

GPO settings for USERs are linked to the User OU and GPO settings for
Computers are linked to the Computer OU if you want them to work.


Yes, as far as the COMPUTER portion (top half) of that GPO is concerned but
not
the settings in the (lower half) User portion.

This is what i thought, but the white paper has me confused because it snds
like it would apply the user-based polices also. Maybe I'm just reading it
wrong, here is a copy and paste from the whitepaper pg 2:

Here are two recommendations for implementation of group policies:
1. User accounts are placed into the locked down OU.
Create Terminal-Server-only user accounts and place them in the locked down
OU. Allow user logons to the Terminal Server for only these users by using
the Terminal Server Configuration MMC snap-in. Instruct the users to only use
these accounts on the Terminal Server. If some computer restrictions are
necessary, disable loopback processing and place the Terminal Server computer
object into the OU. Aside from the restrictive computer policies, users can
have different levels of restrictions on the same Terminal Server. This
implementation allows Administrators to perform some operations on the
Terminal Server while users are active.
2. Only the Terminal Server computer object is placed into the locked down OU.
After installing and configuring all applications on the Terminal Server,
place the Terminal Server computer object into the locked down OU. Enable
loopback processing. All users who log on to the Terminal Server are then
restricted by user-based policies as defined by the locked down GPO,
regardless of the OU the user is located in. This can prevent many local
changes from being applied to the Terminal Server; however, the server can
still be remotely maintained. If administrators need access to the Terminal
Server, log off all users and temporarily restrict their logons to the
Terminal Server. Move the Terminal Server computer object out of the locked
down OU, then log on. Return the Terminal Server computer object to the
locked down OU, and re-enable user logins after maintenance is complete. This
implementation does not require users to have multiple user accounts. It can
also prevent configuration changes to the Terminal Server while it is in
production.


I'm trying to setup option 2.

 

[Herb Martin]

This is what i thought, but the white paper has me confused because it
snds
like it would apply the user-based polices also. Maybe I'm just reading it
wrong, here is a copy and paste from the whitepaper pg 2:

You are either misreading the paper (likely) or it is just wrong.

This is just not how policies work.

Here are two recommendations for implementation of group policies:
1. User accounts are placed into the locked down OU.
Create Terminal-Server-only user accounts and place them in the locked
down
OU. Allow user logons to the Terminal Server for only these users by using
the Terminal Server Configuration MMC snap-in. Instruct the users to only
use
these accounts on the Terminal Server. If some computer restrictions are
necessary, disable loopback processing and place the Terminal Server
computer
object into the OU. Aside from the restrictive computer policies, users
can
have different levels of restrictions on the same Terminal Server. This
implementation allows Administrators to perform some operations on the
Terminal Server while users are active.
2. Only the Terminal Server computer object is placed into the locked down
OU.
After installing and configuring all applications on the Terminal Server,
place the Terminal Server computer object into the locked down OU. Enable
loopback processing. All users who log on to the Terminal Server are then

Above it the critical part you missed: Loopback processing must be enabled
for the Computer-OU linked policies to be applied to the User.

As I mentioned in the previous response: